Detection rules › Splunk
Windows Multiple Account Passwords Changed
The following analytic detects instances where more than five unique Windows account passwords are changed within a 10-minute interval. It leverages Event Code 4724 from the Windows Security Event Log, using the wineventlog_security dataset to monitor and count distinct TargetUserName values. This behavior is significant as rapid password changes across multiple accounts are unusual and may indicate unauthorized access or internal compromise. If confirmed malicious, this activity could lead to widespread account compromise, unauthorized access to sensitive information, and potential disruption of services.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Initial Access | T1078 Valid Accounts |
| Persistence | T1078 Valid Accounts, T1098 Account Manipulation |
| Privilege Escalation | T1078 Valid Accounts, T1098 Account Manipulation |
| Defense Evasion | T1078 Valid Accounts |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Security-Auditing | 4724 | An attempt was made to reset an account's password. |
Stages and Predicates
Stage 1: search
search EventCode=4724 status="success"
Stage 2: bucket
bucket span=10m _time
Stage 3: stats
stats dc(user) AS unique_users, … AS user, … AS dest BY EventCode, signature, _time, src_user, SubjectDomainName, TargetDomainName, Logon_ID
Stage 4: where
where unique_users>5
Stage 5: search
search `macro`
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
EventCode | eq |
|
status | eq |
|
unique_users | gt |
|