远程重置帐户密码
编辑远程重置帐户密码编辑
识别远程重置潜在特权帐户密码的尝试。攻击者可能会操纵帐户密码以保持访问权限或规避密码有效期策略并保留泄露的凭据。
规则类型:eql
规则索引:
- winlogbeat-*
- logs-system.security*
- logs-windows.forwarded*
严重程度:中等
风险评分: 47
运行频率:5 分钟
搜索索引范围:now-9m(日期数学格式,另请参阅 额外的回溯时间)
每次执行的最大警报数: 100
参考:
- https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4724
- https://stealthbits.com/blog/manipulating-user-passwords-with-mimikatz/
- https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/master/Credential%20Access/remote_pwd_reset_rpc_mimikatz_postzerologon_target_DC.evtx
- https://elastic.ac.cn/security-labs/detect-credential-access
标签:
- 域:端点
- 操作系统:Windows
- 用例:威胁检测
- 策略:持久化
- 策略:影响
版本: 115
规则作者:
- Elastic
规则许可证:Elastic 许可证 v2
规则查询编辑
sequence by winlog.computer_name with maxspan=1m
[authentication where event.action == "logged-in" and
/* event 4624 need to be logged */
winlog.logon.type : "Network" and event.outcome == "success" and source.ip != null and
source.ip != "127.0.0.1" and source.ip != "::1" and
not winlog.event_data.TargetUserName : ("svc*", "PIM_*", "_*_", "*-*-*", "*$")] by winlog.event_data.TargetLogonId
/* event 4724 need to be logged */
[iam where event.action == "reset-password" and
(
/*
This rule is very noisy if not scoped to privileged accounts, duplicate the
rule and add your own naming convention and accounts of interest here.
*/
winlog.event_data.TargetUserName: ("*Admin*", "*super*", "*SVC*", "*DC0*", "*service*", "*DMZ*", "*ADM*") or
winlog.event_data.TargetSid : ("S-1-5-21-*-500", "S-1-12-1-*-500")
)
] by winlog.event_data.SubjectLogonId
框架:MITRE ATT&CKTM
-
策略
- 名称:持久化
- ID:TA0003
- 参考链接:https://attack.mitre.org/tactics/TA0003/
-
技术
- 名称:帐户操纵
- ID:T1098
- 参考链接:https://attack.mitre.org/techniques/T1098/
-
策略
- 名称:影响
- ID:TA0040
- 参考链接:https://attack.mitre.org/tactics/TA0040/
-
技术
- 名称:帐户访问移除
- ID:T1531
- 参考链接:https://attack.mitre.org/techniques/T1531/