security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[Rule Tuning] Account Password Reset Remotely (#3335)

Browse Source 
* [Rule Tuning] Account Password Reset Remotely

- reduced maxspan from 5 to 1m (automated pwd reset)
- excluded most common noisy winlog.event_data.TargetUserName patterns (service account dedicated for pwd reset en masse)

* Update persistence_remote_password_reset.toml

(cherry picked from commit 7a4f1224dc)
This commit is contained in:
Samirbous
2023-12-14 17:22:19 +00:00
committed by github-actions[bot]
parent 1f15003bd1
commit d5e7f2c958
1 changed files with 6 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/persistence_remote_password_reset.toml
+6 -4
View File
@@ -4,7 +4,7 @@ integration = ["system", "windows"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/10/13"
updated_date = "2023/12/14"
[rule]
author = ["Elastic"]
@@ -14,10 +14,11 @@ passwords to maintain access or evade password duration policies and preserve co
"""
false_positives = ["Legitimate remote account administration."]
from = "now-9m"
index = ["winlogbeat-*", "logs-system.*", "logs-windows.*"]
index = ["winlogbeat-*", "logs-system.security*", "logs-windows.forwarded*"]
language = "eql"
license = "Elastic License v2"
name = "Account Password Reset Remotely"
note = "This rule may cause medium to high performance impact due to logic scoping all remote Windows logon activity."
references = [
"https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4724",
"https://stealthbits.com/blog/manipulating-user-passwords-with-mimikatz/",
@@ -31,11 +32,12 @@ tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic
type = "eql"
query = '''
sequence by winlog.computer_name with maxspan=5m
sequence by winlog.computer_name with maxspan=1m
[authentication where event.action == "logged-in" and
/* event 4624 need to be logged */
winlog.logon.type : "Network" and event.outcome == "success" and source.ip != null and
source.ip != "127.0.0.1" and source.ip != "::1"] by winlog.event_data.TargetLogonId
source.ip != "127.0.0.1" and source.ip != "::1" and
not winlog.event_data.TargetUserName : ("svc*", "PIM_*", "_*_", "*-*-*", "*$")] by winlog.event_data.TargetLogonId
/* event 4724 need to be logged */
[iam where event.action == "reset-password" and
(