[New Rule] Account Password Reset Remotely (#1571)

* [New Rule] Account Password Reset Remotely

* Update non-ecs-schema.json

* udpate ruleId

* Update rules/windows/persistence_remote_password_reset.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update rules/windows/persistence_remote_password_reset.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update rules/windows/persistence_remote_password_reset.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update rules/windows/persistence_remote_password_reset.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update rules/windows/persistence_remote_password_reset.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

etc/non-ecs-schema.json

@@ -11,6 +11,12 @@
     "winlog.event_data.OriginalFileName": "keyword",
     "winlog.event_data.GrantedAccess": "keyword",
     "winlog.event_data.CallTrace": "keyword",
+    "powershell.file.script_block_text": "text", 
+    "winlog.event_data.CallerProcessName": "keyword", 
+    "winlog.event_data.TargetSid": "keyword", 
+    "winlog.logon.type": "keyword",
+    "winlog.event_data.TargetLogonId": "keyword",
+    "winlog.event_data.SubjectLogonId": "keyword",
     "winlog.event_data.TargetImage": "keyword",
     "powershell.file.script_block_text": "text"
   },

rules/windows/persistence_remote_password_reset.toml

@@ -0,0 +1,53 @@
+[metadata]
+creation_date = "2021/10/18"
+maturity = "production"
+updated_date = "2021/10/18"
+
+[rule]
+author = ["Elastic"]
+description = """
+Identifies an attempt to reset an account password remotely. Adversaries may manipulate account passwords to maintain
+access or evade password duration policies and preserve compromised credentials.
+"""
+false_positives = ["Legitimate remote account administration."]
+from = "now-9m"
+index = ["winlogbeat-*", "logs-windows.*"]
+language = "eql"
+license = "Elastic License v2"
+name = "Account Password Reset Remotely"
+references = [
+    "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4724",
+    "https://stealthbits.com/blog/manipulating-user-passwords-with-mimikatz/",
+    "https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/master/Credential%20Access/remote_pwd_reset_rpc_mimikatz_postzerologon_target_DC.evtx",
+]
+risk_score = 47
+rule_id = "2820c9c2-bcd7-4d6e-9eba-faf3891ba450"
+severity = "medium"
+tags = ["Elastic", "Host", "Windows", "Threat Detection", "Persistence"]
+timestamp_override = "event.ingested"
+type = "eql"
+
+query = '''
+sequence by host.id with maxspan=5m
+  [authentication where event.action == "logged-in" and
+    /* event 4624 need to be logged */
+    winlog.logon.type : "Network" and event.outcome == "success" and source.ip != null and
+    not source.ip in ("127.0.0.1", "::1")] by winlog.event_data.TargetLogonId
+   /* event 4724 need to be logged */
+  [iam where event.action == "reset-password"] by winlog.event_data.SubjectLogonId
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1098"
+reference = "https://attack.mitre.org/techniques/T1098/"
+name = "Account Manipulation"
+
+
+[rule.threat.tactic]
+id = "TA0003"
+reference = "https://attack.mitre.org/tactics/TA0003/"
+name = "Persistence"
+