Add User Account Password Changed Rules

config/target_event_IDs.txt

@@ -105,6 +105,8 @@
 4706
 4719
 4720
+4723
+4724
 4728
 4729
 4732
@@ -162,4 +164,4 @@
 30804
 30806
 31010
-33205
+33205

hayabusa/builtin/Security/AccountManagement/UserAccountManagement/Sec_4723_Med_AcctPassword_OwnChanged.yml

@@ -0,0 +1,69 @@
+author: Darkrael
+date: 2025/01/13
+modified: 2025/01/27
+
+title: User Password Changed
+description: A user account changed it's own password. Adversaries might change the password to lockout legitimate user or set the password to a known clear text passwort via Pass the Hash if only the password hash is known. This will allow an adversary to access services where Pass the Hash is not an option.
+
+id: 3b3046f3-a51c-4378-b059-c716aaa865b4
+level: medium
+status: stable
+logsource:
+    product: windows
+    service: security
+detection:
+    selection:
+        Channel: Security
+        EventID: 4723
+    filter:
+        TargetUserName|endswith: '$' # Filter out machine/computer accounts
+    condition: selection and not filter
+falsepositives:
+    - none
+tags:
+    - attack.privilege_escalation
+references: 
+    - https://trustedsec.com/blog/manipulating-user-passwords-without-mimikatz
+ruletype: Hayabusa
+sample-message: |
+    An attempt was made to reset an account's password.
+
+    Subject:
+        Security ID:        EXAMPLE\Administrator
+        Account Name:       Administrator
+        Account Domain:     EXAMPLE
+        Logon ID:       0xADC8EC66
+
+    Target Account:
+        Security ID:        EXAMPLE\testuser
+        Account Name:       testuser
+        Account Domain:     EXAMPLE
+sample-evtx: |
+    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
+        <System>
+            <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" /> 
+            <EventID>4723</EventID> 
+            <Version>0</Version> 
+            <Level>0</Level> 
+            <Task>13824</Task> 
+            <Opcode>0</Opcode> 
+            <Keywords>0x8020000000000000</Keywords> 
+            <TimeCreated SystemTime="2025-01-16T12:13:22.9874968Z" /> 
+            <EventRecordID>5304424</EventRecordID> 
+            <Correlation /> 
+            <Execution ProcessID="792" ThreadID="8436" /> 
+            <Channel>Security</Channel> 
+            <Computer>DC01.domain.example</Computer> 
+            <Security /> 
+        </System>
+        <EventData>
+            <Data Name="TargetUserName">testuser</Data> 
+            <Data Name="TargetDomainName">EXAMPLE</Data> 
+            <Data Name="TargetSid">S-1-5-21-3623811015-3361044348-30300820-1130</Data> 
+            <Data Name="SubjectUserSid">S-1-5-21-3623811015-3361044348-30300820-1130</Data> 
+            <Data Name="SubjectUserName">testuser</Data> 
+            <Data Name="SubjectDomainName">EXAMPLE</Data> 
+            <Data Name="SubjectLogonId">0xadf138e8</Data> 
+            <Data Name="PrivilegeList">-</Data> 
+        </EventData>
+    </Event>

hayabusa/builtin/Security/AccountManagement/UserAccountManagement/Sec_4724_Med_AcctPassword_OtherChanged.yml

@@ -0,0 +1,71 @@
+author: Darkrael
+date: 2025/01/13
+modified: 2025/01/27
+
+title: Password Reset By Admin
+description: A user accounts password was changed by another account. The current password is not required to reset the password. An adversary might change the password of another account to lock out legitimate users or gain access to the account. This could be done if the account controlled by the attacker has permission to change the password, or as a step in attacks like Pass the Cert.
+
+id: 0b78aca4-35f0-4bec-acce-c5743ff26614
+level: medium
+status: stable
+logsource:
+    product: windows
+    service: security
+detection:
+    selection:
+        Channel: Security
+        EventID: 4724
+    filter:
+        TargetUserName|endswith: '$' # Filter out machine/computer accounts
+    condition: selection and not filter
+falsepositives:
+    - none
+tags:
+    - attack.privilege_escalation
+references:
+    - https://offsec.almond.consulting/authenticating-with-certificates-when-pkinit-is-not-supported.html
+ruletype: Hayabusa
+sample-message: |
+    An attempt was made to change an account's password.
+
+    Subject:
+        Security ID:        EXAMPLE\testuser
+        Account Name:       testuser
+        Account Domain:     EXAMPLE
+        Logon ID:       0xADF138E8
+
+    Target Account:
+        Security ID:        EXAMPLE\testuser
+        Account Name:       testuser
+        Account Domain:     EXAMPLE
+
+    Additional Information:
+        Privileges      -
+sample-evtx: |
+    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
+        <System>
+            <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" /> 
+            <EventID>4724</EventID> 
+            <Version>0</Version> 
+            <Level>0</Level> 
+            <Task>13824</Task> 
+            <Opcode>0</Opcode> 
+            <Keywords>0x8020000000000000</Keywords> 
+            <TimeCreated SystemTime="2025-01-16T11:51:09.6838910Z" /> 
+            <EventRecordID>5303740</EventRecordID> 
+            <Correlation /> 
+            <Execution ProcessID="792" ThreadID="9512" /> 
+            <Channel>Security</Channel> 
+            <Computer>DC01.domain.example</Computer> 
+            <Security /> 
+        </System>
+        <EventData>
+            <Data Name="TargetUserName">testuser</Data> 
+            <Data Name="TargetDomainName">EXAMPLE</Data> 
+            <Data Name="TargetSid">S-1-5-21-3623811015-3361044348-30300820-1130</Data> 
+            <Data Name="SubjectUserSid">S-1-5-21-3623811015-3361044348-30300820-500</Data> 
+            <Data Name="SubjectUserName">Administrator</Data> 
+            <Data Name="SubjectDomainName">EXAMPLE</Data> 
+            <Data Name="SubjectLogonId">0xadc8ec66</Data> 
+        </EventData>
+    </Event>