Computer Password Change Via Ksetup.EXE

calendar Feb 1, 2024 · attack.execution  ·
Share on: linkedin copy

Detects password change for the computer's domain account or host principal via "ksetup.exe"

Sigma rule (View on GitHub)

 1title: Computer Password Change Via Ksetup.EXE
 2id: de16d92c-c446-4d53-8938-10aeef41c8b6
 3status: test
 4description: Detects password change for the computer's domain account or host principal via "ksetup.exe"
 5references:
 6    - https://twitter.com/Oddvarmoe/status/1641712700605513729
 7    - https://learn.microsoft.com/en-gb/windows-server/administration/windows-commands/ksetup
 8author: Nasreddine Bencherchali (Nextron Systems)
 9date: 2023/04/06
10tags:
11    - attack.execution
12logsource:
13    category: process_creation
14    product: windows
15detection:
16    selection_img:
17        - Image|endswith: '\ksetup.exe'
18        - OriginalFileName: 'ksetup.exe'
19    selection_cli:
20        CommandLine|contains: ' /setcomputerpassword '
21    condition: all of selection_*
22falsepositives:
23    - Unknown
24level: medium

References

  • Something went wrong, but don’t fret — let’s give it another shot.


    Read More

  • ksetup

    Reference article for the ksetup command, which performs tasks related to setting up and maintaining Kerberos protocol and the Key Distribution Center (KDC) to support Kerberos realms.


    Read More

Related rules

to-top