远程账户密码重置

编辑

识别远程重置潜在特权账户密码的尝试。攻击者可能会操纵账户密码以维持访问权限或逃避密码有效期策略,并保留被泄露的凭据。

规则类型: eql

规则索引:

  • winlogbeat-*
  • logs-system.security*
  • logs-windows.forwarded*

严重程度: 中

风险评分: 47

运行频率: 5 分钟

搜索索引时间范围: now-9m (日期数学格式,另请参见 额外回溯时间)

每次执行的最大警报数: 100

参考:

标签:

  • 域:端点
  • 操作系统:Windows
  • 用例:威胁检测
  • 策略:持久性
  • 策略:影响
  • 数据源:系统

版本: 216

规则作者:

  • Elastic

规则许可证: Elastic License v2

调查指南

编辑

性能

由于逻辑范围涉及所有远程 Windows 登录活动,此规则可能会导致中等到高的性能影响。

规则查询

编辑
sequence by winlog.computer_name with maxspan=1m
  [authentication where event.action == "logged-in" and
    /* event 4624 need to be logged */
    winlog.logon.type : "Network" and event.outcome == "success" and source.ip != null and
    source.ip != "127.0.0.1" and source.ip != "::1" and
    not winlog.event_data.TargetUserName : ("svc*", "PIM_*", "_*_", "*-*-*", "*$")] by winlog.event_data.TargetLogonId
   /* event 4724 need to be logged */
  [iam where event.action == "reset-password" and
   (
    /*
       This rule is very noisy if not scoped to privileged accounts, duplicate the
       rule and add your own naming convention and accounts of interest here.
     */
    winlog.event_data.TargetUserName: ("*Admin*", "*super*", "*SVC*", "*DC0*", "*service*", "*DMZ*", "*ADM*") or
    winlog.event_data.TargetSid : ("S-1-5-21-*-500", "S-1-12-1-*-500")
    )
  ] by winlog.event_data.SubjectLogonId

框架: MITRE ATT&CKTM