Link Search Menu Expand Document

AD_Password_Reset_Multiple

ID: 100472

Description:

EventID 4724: An attempt was made to reset an accounts password (ID: T1531)

An aggregation rule to detect mass password change, when one account (SubjectUserName) performs more than ten (10) password changes per day for another account (TargetUserName).

Note: This event is different than EventID 4723 (Password self-change)

Ref: https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4724

Repository: Group: AD Type: event

Default Status:

Enabled

Tags:
AD
 

Selector:

Query:

Filters:

Field MUST hit
@fields.EventID 4724
Field MUST NOT hit
   

Behavior Rule:

Key Type Behavior Category
@fields.SubjectUserName username account login

Risks:

Risks Base Score Dimension
     

Attributes:

Alias Key
TargetUserName @fields.TargetUserName
TargetDomainName @fields.TargetDomainName
SubjectFullName @fields.SubjectFullName
TargetFullName @fields.TargetFullName

Correlation Rules:

Aggregation:

Name Window Field AggType Match
MultipleAccts 1 hour @fields.TargetUserName cardinality gt 10
  Risks: ALERT_NORMAL ALERT_POLICY  

History:

User Date
ke*y@fluencysecurity.com 2021 Mar 1 02:14:59 EST
ho*d@fluencysecurity.com 2021 Sep 30 10:27:32 EDT
ho*d@fluencysecurity.com 2021 Oct 11 15:18:03 EDT

This page was automatically created/formatted on Tue, 2021 Oct 19 00:29:17 EDT, from rule_dump.json (db47c470500ce8686ead334f5eda0596)