Account Password Reset Remotely

edit

Identifies an attempt to reset a potentially privileged account password remotely. Adversaries may manipulate account passwords to maintain access or evade password duration policies and preserve compromised credentials.

Rule type: eql

Rule indices:

  • winlogbeat-*
  • logs-system.*

Severity: medium

Risk score: 47

Runs every: 5 minutes

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

  • Elastic
  • Host
  • Windows
  • Threat Detection
  • Persistence

Version: 5 (version history)

Added (Elastic Stack release): 8.0.0

Last modified (Elastic Stack release): 8.4.0

Rule authors: Elastic

Rule license: Elastic License v2

Potential false positives

edit

Legitimate remote account administration.

Rule query

edit
sequence by host.id with maxspan=5m [authentication where
event.action == "logged-in" and /* event 4624 need to be logged */
winlog.logon.type : "Network" and event.outcome == "success" and
source.ip != null and source.ip != "127.0.0.1" and source.ip !=
"::1"] by winlog.event_data.TargetLogonId /* event 4724 need to be
logged */ [iam where event.action == "reset-password" and (
/* This rule is very noisy if not scoped to privileged
accounts, duplicate the rule and add your own naming convention
and accounts of interest here. */
winlog.event_data.TargetUserName: ("*Admin*", "*super*", "*SVC*",
"*DC0*", "*service*", "*DMZ*", "*ADM*") or
winlog.event_data.TargetSid : "S-1-5-21-*-500" ) ] by
winlog.event_data.SubjectLogonId

Threat mapping

edit

Framework: MITRE ATT&CKTM

Rule version history

edit
Version 5 (8.4.0 release)
  • Updated query, changed from:

    sequence by host.id with maxspan=5m [authentication where
    event.action == "logged-in" and /* event 4624 need to be logged */
    winlog.logon.type : "Network" and event.outcome == "success" and
    source.ip != null and source.ip != "127.0.0.1" and source.ip !=
    "::1"] by winlog.event_data.TargetLogonId /* event 4724 need to be
    logged */ [iam where event.action == "reset-password"] by
    winlog.event_data.SubjectLogonId
Version 3 (8.2.0 release)
  • Formatting only
Version 2 (8.1.0 release)
  • Updated query, changed from:

    sequence by host.id with maxspan=5m [authentication where
    event.action == "logged-in" and /* event 4624 need to be logged */
    winlog.logon.type : "Network" and event.outcome == "success" and
    source.ip != null and not source.ip in ("127.0.0.1", "::1")] by
    winlog.event_data.TargetLogonId /* event 4724 need to be logged */
    [iam where event.action == "reset-password"] by
    winlog.event_data.SubjectLogonId