LoFP LoFP / some it support tools or automated scripts may change administrator passwords during maintenance. verify changes against authorized administrative activities to reduce false alerts.

Techniques

Sample rules

Windows Admin Password Changed by Non-Admin

Description

The following analytic detects when a unprivileged user changes an Admin accounts password. This is a common artifact of successful exploitation of the BlueHammer Windows Defender privilege escalation. The attacker’s process momentarily changes the passwords of high-value local accounts including the built-in Administrator to spawn an authenticated shell session, then immediately reverts the passwords to avoid detection. This uses EventID 4723 to log this activity.

Detection logic

`wineventlog_security`
EventCode=4723

| rex field=object_id "-(?<target_rid>\d+)$"

| rex field=SubjectUserSid "-(?<subject_rid>\d+)$"

| where target_rid="500" OR tonumber(target_rid) IN (512,513,518,519,520)

| where tonumber(subject_rid) >= 1000

| where SubjectUserSid != object_id

| stats count min(_time) as firstTime
              max(_time) as lastTime
  by dest user object_id EventCode src_user
     SubjectUserSid SubjectLogonId PrivilegeList

| `security_content_ctime(firstTime)`

| `security_content_ctime(lastTime)`

| `windows_admin_password_changed_by_non_admin_filter`