Suspicious Computer Machine Password by PowerShell

The Reset-ComputerMachinePassword cmdlet changes the computer account password that the computers use to authenticate to the domain controllers in the domain. You can use it to reset the password of the local computer.

Sigma rule (View on GitHub)

 1title: Suspicious Computer Machine Password by PowerShell
 2id: e3818659-5016-4811-a73c-dde4679169d2
 3status: test
 4description: |
 5    The Reset-ComputerMachinePassword cmdlet changes the computer account password that the computers use to authenticate to the domain controllers in the domain.
 6    You can use it to reset the password of the local computer.    
 7references:
 8    - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/reset-computermachinepassword?view=powershell-5.1
 9    - https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/
10author: frack113
11date: 2022/02/21
12tags:
13    - attack.initial_access
14    - attack.t1078
15logsource:
16    product: windows
17    category: ps_module
18    definition: 0ad03ef1-f21b-4a79-8ce8-e6900c54b65b
19detection:
20    selection:
21        ContextInfo|contains: 'Reset-ComputerMachinePassword'
22    condition: selection
23falsepositives:
24    - Administrator PowerShell scripts
25level: medium

References

Related rules

to-top