远程账户密码重置
编辑远程账户密码重置
编辑识别远程重置潜在特权账户密码的尝试。攻击者可能会操纵账户密码以维持访问权限或逃避密码有效期策略,并保留被泄露的凭据。
规则类型: eql
规则索引:
- winlogbeat-*
- logs-system.security*
- logs-windows.forwarded*
严重程度: 中
风险评分: 47
运行频率: 5 分钟
搜索索引时间范围: now-9m (日期数学格式,另请参见 额外回溯时间
)
每次执行的最大警报数: 100
参考:
- https://docs.microsoft.com/zh-cn/windows/security/threat-protection/auditing/event-4724
- https://stealthbits.com/blog/manipulating-user-passwords-with-mimikatz/
- https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/master/Credential%20Access/remote_pwd_reset_rpc_mimikatz_postzerologon_target_DC.evtx
- https://elastic.ac.cn/security-labs/detect-credential-access
标签:
- 域:端点
- 操作系统:Windows
- 用例:威胁检测
- 策略:持久性
- 策略:影响
- 数据源:系统
版本: 216
规则作者:
- Elastic
规则许可证: Elastic License v2
规则查询
编辑sequence by winlog.computer_name with maxspan=1m [authentication where event.action == "logged-in" and /* event 4624 need to be logged */ winlog.logon.type : "Network" and event.outcome == "success" and source.ip != null and source.ip != "127.0.0.1" and source.ip != "::1" and not winlog.event_data.TargetUserName : ("svc*", "PIM_*", "_*_", "*-*-*", "*$")] by winlog.event_data.TargetLogonId /* event 4724 need to be logged */ [iam where event.action == "reset-password" and ( /* This rule is very noisy if not scoped to privileged accounts, duplicate the rule and add your own naming convention and accounts of interest here. */ winlog.event_data.TargetUserName: ("*Admin*", "*super*", "*SVC*", "*DC0*", "*service*", "*DMZ*", "*ADM*") or winlog.event_data.TargetSid : ("S-1-5-21-*-500", "S-1-12-1-*-500") ) ] by winlog.event_data.SubjectLogonId
框架: MITRE ATT&CKTM
-
策略
- 名称:持久性
- ID: TA0003
- 参考 URL:https://attack.mitre.org/tactics/TA0003/
-
技术
- 名称:账户操纵
- ID: T1098
- 参考 URL:https://attack.mitre.org/techniques/T1098/
-
策略
- 名称:影响
- ID: TA0040
- 参考 URL:https://attack.mitre.org/tactics/TA0040/
-
技术
- 名称:账户访问移除
- ID: T1531
- 参考 URL:https://attack.mitre.org/techniques/T1531/