Suspicious Computer Machine Password by PowerShell
The Reset-ComputerMachinePassword cmdlet changes the computer account password that the computers use to authenticate to the domain controllers in the domain. You can use it to reset the password of the local computer.
Sigma rule (View on GitHub)
1title: Suspicious Computer Machine Password by PowerShell
2id: e3818659-5016-4811-a73c-dde4679169d2
3status: test
4description: |
5 The Reset-ComputerMachinePassword cmdlet changes the computer account password that the computers use to authenticate to the domain controllers in the domain.
6 You can use it to reset the password of the local computer.
7references:
8 - https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/reset-computermachinepassword?view=powershell-5.1
9 - https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/
10author: frack113
11date: 2022/02/21
12tags:
13 - attack.initial_access
14 - attack.t1078
15logsource:
16 product: windows
17 category: ps_module
18 definition: 0ad03ef1-f21b-4a79-8ce8-e6900c54b65b
19detection:
20 selection:
21 ContextInfo|contains: 'Reset-ComputerMachinePassword'
22 condition: selection
23falsepositives:
24 - Administrator PowerShell scripts
25level: medium
References
Related rules
- External Remote Service Logon from Public IP
- Yellow Cockatoo PowerShell Suspicious .NET Methods (RedCanary Threat Detection Report)
- Yellow Cockatoo Powershell Startup Folder Persistence (RedCanary Threat Detection Report)
- Disabled Users Failing To Authenticate From Source Using Kerberos
- Failed Logins with Different Accounts from Single Source System