From d5e7f2c958d8b520cbdf2f74df46173da643bf50 Mon Sep 17 00:00:00 2001
From: Samirbous <64742097+Samirbous@users.noreply.github.com>
Date: Thu, 14 Dec 2023 17:22:19 +0000
Subject: [PATCH] [Rule Tuning] Account Password Reset Remotely (#3335)

* [Rule Tuning] Account Password Reset Remotely

- reduced maxspan from 5 to 1m (automated pwd reset)
- excluded most common noisy winlog.event_data.TargetUserName patterns (service account dedicated for pwd reset en masse)

* Update persistence_remote_password_reset.toml

(cherry picked from commit 7a4f1224dc8c0146b28f21ee87b88d8b685fb0e8)
---
 rules/windows/persistence_remote_password_reset.toml | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/rules/windows/persistence_remote_password_reset.toml b/rules/windows/persistence_remote_password_reset.toml
index 9d20a013b..cdfc774f0 100644
--- a/rules/windows/persistence_remote_password_reset.toml
+++ b/rules/windows/persistence_remote_password_reset.toml
@@ -4,7 +4,7 @@ integration = ["system", "windows"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/10/13"
+updated_date = "2023/12/14"
 
 [rule]
 author = ["Elastic"]
@@ -14,10 +14,11 @@ passwords to maintain access or evade password duration policies and preserve co
 """
 false_positives = ["Legitimate remote account administration."]
 from = "now-9m"
-index = ["winlogbeat-*", "logs-system.*", "logs-windows.*"]
+index = ["winlogbeat-*", "logs-system.security*", "logs-windows.forwarded*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Account Password Reset Remotely"
+note = "This rule may cause medium to high performance impact due to logic scoping all remote Windows logon activity."
 references = [
     "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4724",
     "https://stealthbits.com/blog/manipulating-user-passwords-with-mimikatz/",
@@ -31,11 +32,12 @@ tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic
 type = "eql"
 
 query = '''
-sequence by winlog.computer_name with maxspan=5m
+sequence by winlog.computer_name with maxspan=1m
   [authentication where event.action == "logged-in" and
     /* event 4624 need to be logged */
     winlog.logon.type : "Network" and event.outcome == "success" and source.ip != null and
-    source.ip != "127.0.0.1" and source.ip != "::1"] by winlog.event_data.TargetLogonId
+    source.ip != "127.0.0.1" and source.ip != "::1" and 
+    not winlog.event_data.TargetUserName : ("svc*", "PIM_*", "_*_", "*-*-*", "*$")] by winlog.event_data.TargetLogonId
    /* event 4724 need to be logged */
   [iam where event.action == "reset-password" and
    (