Multiple Account Passwords changed by an Administrator

Description

Detect multiple account password changes done by an Administrator

Content Mapping

This content is not mapped to any local saved search. Add mapping


Use Case

Security Monitoring, Compliance

Category

Compliance, Privileged User Monitoring

Security Impact

A technique used by attackers to change one or more user-account passwords, as a way of leveraging specific rights that each user may have or masking activity taken inside a window of time. Account resets should be part of an automated process, or a handful of helpdesk accounts. Any deviation from those password reset events should be investigated.

Alert Volume

Medium

SPL Difficulty

Easy

Journey

Stage 1

MITRE ATT&CK Tactics

Persistence
Initial Access
Credential Access

MITRE ATT&CK Techniques

Valid Accounts
Account Manipulation

MITRE Threat Groups

APT18
APT28
APT3
APT33
APT39
APT41
Carbanak
Chimera
Dragonfly 2.0
FIN10
FIN4
FIN5
FIN6
FIN8
Lazarus Group
Leviathan
Night Dragon
OilRig
PittyTiger
Sandworm Team
Silence
Soft Cell
Suckfly
TEMP.Veles
Threat Group-3390
UNC2452
Wizard Spider
menuPass

Kill Chain Phases

Actions On Objectives

Data Sources

Windows Security

   How to Implement

You should configure your audit policy to include these events (628,627,4723,4724) and log the events using a Splunk Universal Forwarder or via other means.

   Known False Positives

The biggest potential false positive from this detection is that, technically, it will fire for any privileged account that is resetting accounts, not just admin accounts specifically. It's difficult to put sufficient logic into a single search to detect admin only accounts, as often, "privilege" is a general term which implies any user with rights above the average user. So while detecting password changes from admins, it could also alert for any helpdesk user with privilege accounts.

Beyond that, there are no known sources of false positives for this search.

   How To Respond

When this search returns values outside of the expected values (a handful of help-desk accounts, or specific system accounts which are part of an automated password management system), initiate your incident response process and capture the user accounts and time of password change events, the system that initiated the request and other pertinent information. Contact the account owners to verify whether or not this is authorized behavior. If not, begin to investigate actions taken by each account post password change. If it is authorized behavior, document that this is authorized and by whom.

   Help

Multiple Account Passwords changed by an Administrator Help

This example leverages the Simple Search assistant. Our dataset is a collection of Windows security logs for user password change. We filter for that in a short period of time. Anything that matches, we will surface.

SPL for Multiple Account Passwords changed by an Administrator

Live Data

Here we start with a a data set from the Windows event codes we are considering
We count the number of events by user
This macro attaches information from the ES Asset and Identity framework so you can see if a user if considered privileged.
Filter on privileged users only.