
Summary
This detection rule, authored by Elastic, focuses on identifying attempts to remotely reset passwords of potentially privileged accounts. Adversaries may manipulate account passwords to maintain access to systems and evade security measures, such as password expiration policies. The rule is designed to monitor successful remote authentication events followed by suspicious password reset activities, particularly targeting privileged accounts to reduce false positives. The investigation guide provided within the rule outlines steps for validating suspicious activity, including reviewing source IP addresses and correlating event data to ensure actions are linked to authorized users. False positives can arise from legitimate administrative tasks; therefore, guidelines for managing exceptions are outlined, including the identification of specific IPs and accounts involved in routine maintenance tasks. Additionally, the rule emphasizes the importance of prompt incident response to mitigate risks associated with unauthorized access.
Categories
- Endpoint
- Windows
Data Sources
- Windows Registry
- Logon Session
- Application Log
ATT&CK Techniques
- T1098
- T1531
Created: 2021-10-18