id: 0b9ae89d-8cad-461c-808f-0494f70ad5c4 name: Multiple Password Reset by user description: | 'This query will determine multiple password resets by user across multiple data sources. Account manipulation including password reset may aid adversaries in maintaining access to credentials and certain permission levels within an environment.' severity: Low requiredDataConnectors: - connectorId: AzureActiveDirectory dataTypes: - AuditLogs - connectorId: SecurityEvents dataTypes: - SecurityEvent - connectorId: Syslog dataTypes: - Syslog - connectorId: Office365 dataTypes: - OfficeActivity - connectorId: WindowsSecurityEvents dataTypes: - SecurityEvents - connectorId: WindowsForwardedEvents dataTypes: - WindowsEvent queryFrequency: 1d queryPeriod: 1d triggerOperator: gt triggerThreshold: 0 tactics: - InitialAccess - CredentialAccess relevantTechniques: - T1078 - T1110 query: | let selfServicePasswordReset = dynamic(["Self-service password reset flow activity progress", "Change password (self-service)", "Reset password (self-service)"]); //Self-service password reset flow activity progress is typically caused by a password policy which requires users to rotate passwords. This operation already implies the user has signed in successfully and therefore the password reset is non-malicious. let PerUserThreshold = 5; let TotalThreshold = 100; let action = dynamic(["change", "changed", "reset"]); let pWord = dynamic(["password", "credentials"]); let PasswordResetMultiDataSource = (union isfuzzy=true (//Password reset events //4723: An attempt was made to change an account's password //4724: An attempt was made to reset an accounts password SecurityEvent | where EventID in ("4723","4724") | project TimeGenerated, Computer, AccountType, Account, Type, TargetUserName), (//Password reset events //4723: An attempt was made to change an account's password //4724: An attempt was made to reset an accounts password WindowsEvent | where EventID in ("4723","4724") | extend SubjectUserSid = tostring(EventData.SubjectUserSid) | extend TargetUserName = tostring(EventData.TargetUserName) | extend Account = strcat(tostring(EventData.SubjectDomainName),"\\", tostring(EventData.SubjectUserName)) | extend AccountType=case(Account endswith "$" or SubjectUserSid in ("S-1-5-18", "S-1-5-19", "S-1-5-20"), "Machine", isempty(SubjectUserSid), "", "User") | project TimeGenerated, Computer, AccountType, Account, Type, TargetUserName), (//Azure Active Directory Password reset events AuditLogs | where OperationName has_any (pWord) and OperationName has_any (action) and Result =~ "success" | where OperationName !in (selfServicePasswordReset) | mv-apply TargetResource = TargetResources on ( where TargetResource.type =~ "User" | extend AccountType = tostring(TargetResource.type), Account = tostring(InitiatedBy.user.userPrincipalName), TargetUserName = tolower(tostring(TargetResource.userPrincipalName)) ) | project TimeGenerated, AccountType, Account, TargetUserName, Computer = "", Type), (//OfficeActive ActiveDirectory Password reset events OfficeActivity | where OfficeWorkload == "AzureActiveDirectory" | where (ExtendedProperties has_any (pWord) or ModifiedProperties has_any (pWord)) and (ExtendedProperties has_any (action) or ModifiedProperties has_any (action)) | extend AccountType = UserType, Account = OfficeObjectId | project TimeGenerated, AccountType, Account, Type, Computer = ""), (// Unix syslog password reset events Syslog | where Facility in ("auth","authpriv") | where SyslogMessage has_any (pWord) and SyslogMessage has_any (action) | extend AccountType = iif(SyslogMessage contains "root", "Root", "Non-Root") | where SyslogMessage matches regex ".*password changed for.*" | parse SyslogMessage with * "password changed for" Account | project TimeGenerated, AccountType, Account, Computer = HostName, Type) ); let pwrmd = PasswordResetMultiDataSource | project TimeGenerated, Computer, AccountType, Account, Type, TargetUserName; (union isfuzzy=true (pwrmd | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), Computerlist = make_set(Computer, 25), AccountType = make_set(AccountType, 25), Computer = arg_max(Computer , TimeGenerated), TargetUserList = make_set(TargetUserName, 25), TargetUserName = arg_max(TargetUserName, TimeGenerated), Total=count() by Account, Type | where Total > PerUserThreshold | extend ResetPivot = "PerUserReset"), (pwrmd | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ComputerList = make_set(Computer, 25), AccountList = make_set(Account, 25), AccountType = make_set(AccountType, 25), Computer = arg_max(Computer , TimeGenerated), TargetUserList = make_set(TargetUserName, 25), TargetUserName = arg_max(TargetUserName, TimeGenerated), Total=count() by Type | where Total > TotalThreshold | extend ResetPivot = "TotalUserReset") ) | extend timestamp = StartTimeUtc, HostName = tostring(split(Computer, '.', 0)[0]), DnsDomain = tostring(strcat_array(array_slice(split(Computer, '.'), 1, -1), '.')), Name = tostring(split(Account, '@', 0)[0]), UPNSuffix = tostring(split(Account, '@', 1)[0]), TargetName = tostring(split(TargetUserName,'@',0)[0]), TargetUPNSuffix = tostring(split(TargetUserName,'@',1)[0]) entityMappings: - entityType: Account fieldMappings: - identifier: FullName columnName: Account - identifier: Name columnName: Name - identifier: UPNSuffix columnName: UPNSuffix - entityType: Host fieldMappings: - identifier: FullName columnName: Computer - identifier: HostName columnName: HostName - identifier: DnsDomain columnName: DnsDomain - entityType: Account fieldMappings: - identifier: FullName columnName: TargetUserName - identifier: Name columnName: TargetName - identifier: UPNSuffix columnName: TargetUPNSuffix version: 2.1.7 kind: Scheduled metadata: source: kind: Community author: name: Microsoft Security Research support: tier: Community categories: domains: [ "Security - Others", "Identity" ]