This rule detects a rapid, automated pattern of password changes across multiple local accounts performed by a single initiating user within a 2-second window. It ingests Windows Security event IDs 4723 and 4724 (password change attempt and password reset attempt). The search partitions events into 2-second time buckets, filters to real user accounts (SubjectRID >= 1000), and groups by destination computer, target username, initiating username, and time bucket. It flags cases where at least four events occur within the same bucket, then computes duration (first to last event), the fastest burst, and the change rate (password changes per second). The finding highlights the destination host, the initiating account, and the affected accounts, with a title such as “Rapid burst of password changes of local accounts by $SubjectUserName$ on $dest$.” This pattern is indicative of credentialManipulation tooling or automated credential escalation, where password resets are performed en masse across accounts to deny access to defenders or to escalate privileges, rather than manual routine administration. The rule emphasizes that legitimate admin activities are unlikely to occur at machine speed across many accounts concurrently. It also notes potential false positives from service accounts performing maintenance tasks and advises filtering accordingly. The technique aligns with Windows Privilege Escalation (T1068) and is part of BlueHammer/Splunk content for credential abuse detection. References include the BlueHammer repository. Data sources rely on Windows TA ingesting security events 4723/4724.