AD_Password_Reset_Multiple

ID: 100472

Description:

EventID 4724: An attempt was made to reset an accounts password (ID: T1531)

An aggregation rule to detect mass password change, when one account (SubjectUserName) performs more than ten (10) password changes per day for another account (TargetUserName).

Note: This event is different than EventID 4723 (Password self-change)

Ref: https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4724

Repository: Group: AD Type: event

Default Status:

Enabled

Tags:
AD

Selector:

Query:

Filters:

Field	MUST hit
@fields.EventID	4724

Field	MUST NOT hit

Behavior Rule:

Key	Type	Behavior Category
@fields.SubjectUserName	username	account login

Risks:

Risks	Base Score	Dimension

Attributes:

Alias	Key
TargetUserName	@fields.TargetUserName
TargetDomainName	@fields.TargetDomainName
SubjectFullName	@fields.SubjectFullName
TargetFullName	@fields.TargetFullName

Correlation Rules:

Aggregation:

Name	Window	Field	AggType	Match
MultipleAccts	1 hour	@fields.TargetUserName	cardinality	gt 10
	Risks:	ALERT_NORMAL	ALERT_POLICY

History:

User	Date
ke*y@fluencysecurity.com	2021 Mar 1 02:14:59 EST
ho*d@fluencysecurity.com	2021 Sep 30 10:27:32 EDT
ho*d@fluencysecurity.com	2021 Oct 11 15:18:03 EDT

This page was automatically created/formatted on Wed, 2022 May 4 21:43:53 EDT, from rule_dump.json (4d88bffdfb1cea26b3985f2193033606)