Suspicious Computer Machine Password by PowerShell
The Reset-ComputerMachinePassword cmdlet changes the computer account password that the computers use to authenticate to the domain controllers in the domain. You can use it to reset the password of the local computer.
Sigma rule (View on GitHub)
1title: Suspicious Computer Machine Password by PowerShell
2id: e3818659-5016-4811-a73c-dde4679169d2
3status: test
4description: |
5 The Reset-ComputerMachinePassword cmdlet changes the computer account password that the computers use to authenticate to the domain controllers in the domain.
6 You can use it to reset the password of the local computer.
7references:
8 - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/reset-computermachinepassword?view=powershell-5.1
9 - https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/
10author: frack113
11date: 2022-02-21
12tags:
13 - attack.initial-access
14 - attack.t1078
15logsource:
16 product: windows
17 category: ps_module
18 definition: 0ad03ef1-f21b-4a79-8ce8-e6900c54b65b
19detection:
20 selection:
21 ContextInfo|contains: 'Reset-ComputerMachinePassword'
22 condition: selection
23falsepositives:
24 - Administrator PowerShell scripts
25level: medium
References
-
The Reset-ComputerMachinePassword cmdlet changes the computer account password that the computers use to authenticate to the domain controllers in the domain. You can use it to reset the password of the local computer.
Read More -
In this intrusion (from November 2021), a threat actor gained its initial foothold in the environment through the use of Qbot (a.k.a. Quakbot/Qakbot) malware. Soon after execution of the Qbot paylo…
Read More
Related rules
- AWS Suspicious SAML Activity
- Account Tampering - Suspicious Failed Logon Reasons
- Activity From Anonymous IP Address
- Application Using Device Code Authentication Flow
- Applications That Are Using ROPC Authentication Flow