Identifies an attempt to reset an account password remotely. Adversaries may manipulate account passwords to maintain access or evade password duration policies and preserve compromised credentials.
Rule type: eql
Risk score: 47
Runs every: 5 minutes
Maximum alerts per execution: 100
- Threat Detection
Added (Elastic Stack release): 8.0.0
Rule authors: Elastic
Rule license: Elastic License v2
Legitimate remote account administration.
sequence by host.id with maxspan=5m [authentication where event.action == "logged-in" and /* event 4624 need to be logged */ winlog.logon.type : "Network" and event.outcome == "success" and source.ip != null and not source.ip in ("127.0.0.1", "::1")] by winlog.event_data.TargetLogonId /* event 4724 need to be logged */ [iam where event.action == "reset-password"] by winlog.event_data.SubjectLogonId