Multiple Account Passwords changed by an Administrator
Detect multiple account password changes done by an Administrator
This content is not mapped to any local saved search. Add mapping
How to Implement
You should configure your audit policy to include these events (628,627,4723,4724) and log the events using a Splunk Universal Forwarder or via other means.
Known False Positives
The biggest potential false positive from this detection is that, technically, it will fire for any privileged account that is resetting accounts, not just admin accounts specifically. It's difficult to put sufficient logic into a single search to detect admin only accounts, as often, "privilege" is a general term which implies any user with rights above the average user. So while detecting password changes from admins, it could also alert for any helpdesk user with privilege accounts.
Beyond that, there are no known sources of false positives for this search.
How To Respond
When this search returns values outside of the expected values (a handful of help-desk accounts, or specific system accounts which are part of an automated password management system), initiate your incident response process and capture the user accounts and time of password change events, the system that initiated the request and other pertinent information. Contact the account owners to verify whether or not this is authorized behavior. If not, begin to investigate actions taken by each account post password change. If it is authorized behavior, document that this is authorized and by whom.
Multiple Account Passwords changed by an Administrator Help
This example leverages the Simple Search assistant. Our dataset is a collection of Windows security logs for user password change. We filter for that in a short period of time. Anything that matches, we will surface.
SPL for Multiple Account Passwords changed by an Administrator
|Here we start with a a data set from the Windows event codes we are considering|
|We count the number of events by user|
|This macro attaches information from the ES Asset and Identity framework so you can see if a user if considered privileged.|
|Filter on privileged users only.|