Account Password Reset Remotely

  1[metadata]
  2creation_date = "2021/10/18"
  3integration = ["system", "windows"]
  4maturity = "production"
  5updated_date = "2025/03/20"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies an attempt to reset a potentially privileged account password remotely. Adversaries may manipulate account
 11passwords to maintain access or evade password duration policies and preserve compromised credentials.
 12"""
 13false_positives = ["Legitimate remote account administration."]
 14from = "now-9m"
 15index = ["logs-system.security*", "logs-windows.forwarded*", "winlogbeat-*"]
 16language = "eql"
 17license = "Elastic License v2"
 18name = "Account Password Reset Remotely"
 19note = """## Triage and analysis
 20
 21> **Disclaimer**:
 22> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 23
 24### Investigating Account Password Reset Remotely
 25
 26Remote password resets are crucial for managing user accounts, especially for privileged users. However, adversaries exploit this by resetting passwords to maintain unauthorized access or bypass security policies. The detection rule identifies suspicious remote password resets by monitoring successful network logins and subsequent password reset actions, focusing on privileged accounts to minimize noise and highlight potential threats.
 27
 28### Possible investigation steps
 29
 30- Review the source IP address from the authentication event to determine if it is from a known or trusted network. Investigate any unfamiliar or suspicious IP addresses.
 31- Check the winlog.event_data.TargetUserName from the password reset event to confirm if it belongs to a privileged account and verify if the reset was authorized.
 32- Correlate the winlog.event_data.SubjectLogonId from both the authentication and password reset events to ensure they are linked and identify the user or process responsible for the actions.
 33- Investigate the timing and frequency of similar events to identify patterns or anomalies that may indicate malicious activity.
 34- Examine any recent changes or activities associated with the account in question to assess if there are other signs of compromise or unauthorized access.
 35
 36### False positive analysis
 37
 38- Routine administrative tasks can trigger false positives when legitimate IT staff reset passwords for maintenance or support. To manage this, create exceptions for known IT personnel or service accounts that frequently perform these actions.
 39- Automated scripts or tools used for account management might cause false alerts. Identify and exclude these scripts or tools by their specific account names or IP addresses.
 40- Scheduled password resets for compliance or security policies may appear suspicious. Document and exclude these scheduled tasks by their timing and associated accounts.
 41- Service accounts with naming conventions similar to privileged accounts might be flagged. Review and adjust the rule to exclude these specific service accounts by refining the naming patterns in the query.
 42- Internal network devices or systems that perform regular password resets could be misinterpreted as threats. Whitelist these devices by their IP addresses or hostnames to reduce noise.
 43
 44### Response and remediation
 45
 46- Immediately isolate the affected system from the network to prevent further unauthorized access or lateral movement by the adversary.
 47- Revoke any active sessions associated with the compromised account to disrupt any ongoing malicious activities.
 48- Reset the password of the affected account using a secure method, ensuring it is done from a trusted and secure system.
 49- Conduct a thorough review of recent account activities and system logs to identify any additional unauthorized changes or access attempts.
 50- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine the scope of the breach.
 51- Implement additional monitoring on the affected account and related systems to detect any further suspicious activities.
 52- Review and update access controls and privileged account management policies to prevent similar incidents in the future.
 53
 54## Performance
 55This rule may cause medium to high performance impact due to logic scoping all remote Windows logon activity.
 56"""
 57references = [
 58    "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4724",
 59    "https://stealthbits.com/blog/manipulating-user-passwords-with-mimikatz/",
 60    "https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/master/Credential%20Access/remote_pwd_reset_rpc_mimikatz_postzerologon_target_DC.evtx",
 61    "https://www.elastic.co/security-labs/detect-credential-access",
 62]
 63risk_score = 47
 64rule_id = "2820c9c2-bcd7-4d6e-9eba-faf3891ba450"
 65severity = "medium"
 66tags = [
 67    "Domain: Endpoint",
 68    "OS: Windows",
 69    "Use Case: Threat Detection",
 70    "Tactic: Persistence",
 71    "Tactic: Impact",
 72    "Data Source: Windows Security Event Logs",
 73    "Resources: Investigation Guide",
 74]
 75type = "eql"
 76
 77query = '''
 78sequence by winlog.computer_name with maxspan=1m
 79  [authentication where event.action == "logged-in" and
 80    /* event 4624 need to be logged */
 81    winlog.logon.type : "Network" and event.outcome == "success" and source.ip != null and
 82    source.ip != "127.0.0.1" and source.ip != "::1" and
 83    not winlog.event_data.TargetUserName : ("svc*", "PIM_*", "_*_", "*-*-*", "*$")] by winlog.event_data.TargetLogonId
 84   /* event 4724 need to be logged */
 85  [iam where event.action == "reset-password" and
 86   (
 87    /*
 88       This rule is very noisy if not scoped to privileged accounts, duplicate the
 89       rule and add your own naming convention and accounts of interest here.
 90     */
 91    winlog.event_data.TargetUserName: ("*Admin*", "*super*", "*SVC*", "*DC0*", "*service*", "*DMZ*", "*ADM*") or
 92    winlog.event_data.TargetSid : ("S-1-5-21-*-500", "S-1-12-1-*-500")
 93    )
 94  ] by winlog.event_data.SubjectLogonId
 95'''
 96
 97
 98[[rule.threat]]
 99framework = "MITRE ATT&CK"
100[[rule.threat.technique]]
101id = "T1098"
102name = "Account Manipulation"
103reference = "https://attack.mitre.org/techniques/T1098/"
104
105
106[rule.threat.tactic]
107id = "TA0003"
108name = "Persistence"
109reference = "https://attack.mitre.org/tactics/TA0003/"
110[[rule.threat]]
111framework = "MITRE ATT&CK"
112[[rule.threat.technique]]
113id = "T1531"
114name = "Account Access Removal"
115reference = "https://attack.mitre.org/techniques/T1531/"
116
117
118[rule.threat.tactic]
119id = "TA0040"
120name = "Impact"
121reference = "https://attack.mitre.org/tactics/TA0040/"