This detection rule focuses on identifying unauthorized password change attempts utilizing the Rubeus tool's "changepw" module within Windows environments. The rule applies to events triggered by the Microsoft Windows Event IDs 4738 and 4723, which are indicative of user account password changes. The Rubeus "changepw" function allows an attacker to change a user's password on the fly by providing the target user’s Ticket Granting Ticket (TGT) and specifying a new password. It can operate against the current domain controller if one isn’t specified. This activity can indicate attempts to either persist in a compromised account or escalate privileges by using valid account credentials. The rule aggregates these events over time to identify potential misuse of legitimate password change mechanisms typically associated with Kerberos ticket management, particularly for security operations allowing for Kerberos ticket manipulation. Therefore, this detection seeks to catch suspicious patterns of behavior that signal potential credential theft or misuse through techniques T1078 (Valid Accounts) and T1558 (Steal or Forge Kerberos Tickets). It leverages Splunk operations to parse through event logs generated by Windows. If suspicious patterns are found, further analysis is required to determine if malicious activity has occurred.