Techniques
Sample rules
Windows Admin Password Changed by Non-Admin
- source: splunk
- technicques:
Description
The following analytic detects when a unprivileged user changes an Admin accounts password. This is a common artifact of successful exploitation of the BlueHammer Windows Defender privilege escalation. The attacker’s process momentarily changes the passwords of high-value local accounts including the built-in Administrator to spawn an authenticated shell session, then immediately reverts the passwords to avoid detection. This uses EventID 4723 to log this activity.
Detection logic
`wineventlog_security`
EventCode=4723
| rex field=object_id "-(?<target_rid>\d+)$"
| rex field=SubjectUserSid "-(?<subject_rid>\d+)$"
| where target_rid="500" OR tonumber(target_rid) IN (512,513,518,519,520)
| where tonumber(subject_rid) >= 1000
| where SubjectUserSid != object_id
| stats count min(_time) as firstTime
max(_time) as lastTime
by dest user object_id EventCode src_user
SubjectUserSid SubjectLogonId PrivilegeList
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_admin_password_changed_by_non_admin_filter`