Suspicious Computer Machine Password by PowerShell

 1title: Suspicious Computer Machine Password by PowerShell
 2id: e3818659-5016-4811-a73c-dde4679169d2
 3status: test
 4description: |
 5    The Reset-ComputerMachinePassword cmdlet changes the computer account password that the computers use to authenticate to the domain controllers in the domain.
 6    You can use it to reset the password of the local computer.    
 7references:
 8    - https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/reset-computermachinepassword?view=powershell-5.1
 9    - https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/
10author: frack113
11date: 2022/02/21
12tags:
13    - attack.initial_access
14    - attack.t1078
15logsource:
16    product: windows
17    category: ps_module
18    definition: 0ad03ef1-f21b-4a79-8ce8-e6900c54b65b
19detection:
20    selection:
21        ContextInfo|contains: 'Reset-ComputerMachinePassword'
22    condition: selection
23falsepositives:
24    - Administrator PowerShell scripts
25level: medium

References

• Reset-ComputerMachinePassword (Microsoft.PowerShell.Management) - PowerShell

  

  The Reset-ComputerMachinePassword cmdlet changes the computer account password that the computers use to authenticate to the domain controllers in the domain. You can use it to reset the password of the local computer.

  
  Read More

• Qbot and Zerologon Lead To Full Domain Compromise

  

  In this intrusion (from November 2021), a threat actor gained its initial foothold in the environment through the use of QBot (a.k.a. Quakbot/Qakbot) malware.

  
  Read More

Related rules

• External Remote Service Logon from Public IP
• Yellow Cockatoo PowerShell Suspicious .NET Methods (RedCanary Threat Detection Report)
• Yellow Cockatoo Powershell Startup Folder Persistence (RedCanary Threat Detection Report)
• Disabled Users Failing To Authenticate From Source Using Kerberos
• Failed Logins with Different Accounts from Single Source System