Logged-On User Password Change Via Ksetup.EXE

calendar Feb 1, 2024 · attack.execution  ·
Share on: linkedin copy

Detects password change for the logged-on user's via "ksetup.exe"

Sigma rule (View on GitHub)

 1title: Logged-On User Password Change Via Ksetup.EXE
 2id: c9783e20-4793-4164-ba96-d9ee483992c4
 3status: test
 4description: Detects password change for the logged-on user's via "ksetup.exe"
 5references:
 6    - https://learn.microsoft.com/en-gb/windows-server/administration/windows-commands/ksetup
 7author: Nasreddine Bencherchali (Nextron Systems)
 8date: 2023/04/06
 9tags:
10    - attack.execution
11logsource:
12    category: process_creation
13    product: windows
14detection:
15    selection_img:
16        - Image|endswith: '\ksetup.exe'
17        - OriginalFileName: 'ksetup.exe'
18    selection_cli:
19        CommandLine|contains: ' /ChangePassword '
20    condition: all of selection_*
21falsepositives:
22    - Unknown
23level: medium

References

  • ksetup

    Reference article for the ksetup command, which performs tasks related to setting up and maintaining Kerberos protocol and the Key Distribution Center (KDC) to support Kerberos realms.


    Read More

Related rules

to-top