Detect previous password change in bruteforce detection rule

Elastic Security
1

Hi, we built a bruteforce use case which detects winlog bruteforces. The query is as follows:
event.category : "authentication" and event.outcome : "failure" and (winlog.event_data.Status: "0x18" or winlog.event_data.Status: ("0XC000006D" or "0xC000006A" ))

Sometimes we get alerts of this use case. Often we see that the alert came after a user or account changed their password. This triggers a series of unsuccesfull authentication attempts, triggering our rule.

Our idea is as follows: Either within or outside of this rule, we want to check if the user who triggered the detection rule has changed their password in the last week or so. (Winlog event.id 4723 or winlog event id 4724).

How would this be possible? Might this be possible within the rule itself or do we need machine learning for this?

Greetings,
Erik

2

You can check the Last Password Changed information for a user account in Active Directory. The information for last password changed is stored in an attribute called “PwdLastSet”.

It is important to note whether this attribute is mapped in ECS to the mentioned events or other events related to user management. If not, you can find this attribute by reading all the information in the message field.

I also recommend taking a look at this topic to see if it helps:

1 Like
3

You could combine this detection with an eql rule (if you are on version 8.9+).

This rule would become a building block rule and you would create an additional eql rule with something like this:

query = """
sequence with maxspan=1h
  ![iam where event.action:"change-password"] by user.target.name
  [authentication where signal.rule.name:"<original rule name>"] by user.name
"""

This would create alerts for users who triggered the brute force detection without changing their password in the 1h prior to that.

Another option is to do it entirely in eql:

query = """
sequence with maxspan=1h
  ![iam where event.action:"change-password"] by user.target.name
  [authentication where event.outcome:"failure" and winlog.event_data.Status:("0x18", "0XC000006D", "0xC000006A")] by user.name with runs=5
"""

event.action needs to be validated for correct value

Both of these should take the change password event into account.

1 Like
4

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.