Account Password Reset Remotely

This detection rule identifies suspicious remote password resets targeting potentially privileged accounts on Windows systems. Attackers may attempt to reset passwords to maintain unauthorized access, evade password duration policies, or preserve compromised credentials. The rule focuses on network logins followed by password reset actions, specifically targeting privileged accounts to reduce false positives. The rule leverages Windows Security Event Logs to detect successful network logins and subsequent password reset events. The goal is to detect anomalous password reset activities that could indicate malicious activity. The rule was last updated on 2026/05/04.

Attack Chain

1. An attacker gains initial access to the network (e.g., through credential theft or phishing).
2. The attacker attempts a network login to a Windows system, generating a 4624 event with logon type “Network”.
3. The system logs a successful authentication event (event ID 4624) with a network logon type.
4. The attacker identifies a privileged account, such as an administrator account or a service account with elevated permissions.
5. The attacker initiates a password reset for the privileged account.
6. A password reset event (event ID 4724) is triggered, indicating that a password has been reset.
7. The attacker leverages the reset password to maintain persistent access to the compromised account.
8. The attacker performs malicious actions using the compromised privileged account, potentially leading to data exfiltration or system compromise.

Impact

Successful password resets of privileged accounts can lead to significant security breaches. Attackers can maintain persistent access, escalate privileges, and move laterally within the network. This can result in data theft, system compromise, and disruption of services. If successful, attackers can potentially gain control over critical systems and data, leading to significant financial and reputational damage.

Recommendation

• Enable the Windows audit policies for “Audit Logon” and “Audit User Account Management” to generate the necessary events for this detection.
• Deploy the Sigma rule “Detect Remote Password Reset of Privileged Account” to your SIEM and tune it to your environment, excluding legitimate administrative accounts and processes.
• Investigate any alerts generated by the Sigma rule by reviewing the source IP address and the target account to determine if the password reset was authorized.
• Monitor for Event ID 4724 (Account Password Reset) in conjunction with network login events to identify suspicious password reset activity.
• Review and update access controls and privileged account management policies to prevent similar incidents in the future, as mentioned in the overview section.
• Create exceptions for known IT personnel or service accounts that legitimately perform remote password resets, as detailed in the false positive analysis section.