From 0816938bd2ebc66ad987b22c8c57b0041c870a4b Mon Sep 17 00:00:00 2001
From: Samirbous <64742097+Samirbous@users.noreply.github.com>
Date: Sun, 17 Oct 2021 20:44:22 +0200
Subject: [PATCH 1/8] [New Rule] Account Password Reset Remotely

---
 etc/non-ecs-schema.json                       |  7 ++-
 .../persistence_remote_password_reset.toml    | 53 +++++++++++++++++++
 2 files changed, 59 insertions(+), 1 deletion(-)
 create mode 100644 rules/windows/persistence_remote_password_reset.toml

diff --git a/etc/non-ecs-schema.json b/etc/non-ecs-schema.json
index 927117291b3..d1eb31c681d 100644
--- a/etc/non-ecs-schema.json
+++ b/etc/non-ecs-schema.json
@@ -11,7 +11,12 @@
     "winlog.event_data.OriginalFileName": "keyword",
     "winlog.event_data.GrantedAccess": "keyword",
     "winlog.event_data.CallTrace": "keyword",
-    "powershell.file.script_block_text": "text"
+    "powershell.file.script_block_text": "text",
+	"winlog.event_data.CallerProcessName": "keyword",
+	"winlog.event_data.TargetSid": "keyword",
+	"winlog.logon.type": "keyword",
+	"winlog.event_data.TargetLogonId": "keyword",
+	"winlog.event_data.SubjectLogonId": "keyword"
   },
   "filebeat-*": {
     "o365.audit.NewValue": "keyword"
diff --git a/rules/windows/persistence_remote_password_reset.toml b/rules/windows/persistence_remote_password_reset.toml
new file mode 100644
index 00000000000..09564a24c93
--- /dev/null
+++ b/rules/windows/persistence_remote_password_reset.toml
@@ -0,0 +1,53 @@
+[metadata]
+creation_date = "2021/10/18"
+maturity = "production"
+updated_date = "2021/10/18"
+
+[rule]
+author = ["Elastic"]
+description = """
+Identifies attempt to remotely reset an account. Adversaries may manipulate account password to maintain access or evade
+password duration policies and preserve the life of compromised credentials.
+"""
+false_positives = ["Legitimate remote accounts administration."]
+from = "now-9m"
+index = ["winlogbeat-*", "logs-windows.*"]
+language = "eql"
+license = "Elastic License v2"
+name = "Account Password Reset Remotely"
+references = [
+    "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4724",
+    "https://stealthbits.com/blog/manipulating-user-passwords-with-mimikatz/",
+    "https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/master/Credential%20Access/remote_pwd_reset_rpc_mimikatz_postzerologon_target_DC.evtx",
+]
+risk_score = 47
+rule_id = "ce64d965-6cb0-466d-b74f-8d2c76f47f05"
+severity = "medium"
+tags = ["Elastic", "Host", "Windows", "Threat Detection", "Persistence"]
+timestamp_override = "event.ingested"
+type = "eql"
+
+query = '''
+sequence by host.id with maxspan=5m
+  [authentication where event.action=="logged-in" and
+    /* event 4624 need to be logged */
+    winlog.logon.type:"Network" and event.outcome == "success" and source.ip != null and
+    source.ip != "127.0.0.1" and source.ip != "::1"] by winlog.event_data.TargetLogonId
+   /* event 4724 need to be logged */
+  [iam where event.action == "reset-password"] by winlog.event_data.SubjectLogonId
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1098"
+reference = "https://attack.mitre.org/techniques/T1098/"
+name = "Account Manipulation"
+
+
+[rule.threat.tactic]
+id = "TA0003"
+reference = "https://attack.mitre.org/tactics/TA0003/"
+name = "Persistence"
+

From b686fbb2694fd030447f771bb90f62a9e2370171 Mon Sep 17 00:00:00 2001
From: Samirbous <64742097+Samirbous@users.noreply.github.com>
Date: Sun, 17 Oct 2021 20:47:43 +0200
Subject: [PATCH 2/8] Update non-ecs-schema.json

---
 etc/non-ecs-schema.json | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/etc/non-ecs-schema.json b/etc/non-ecs-schema.json
index d1eb31c681d..845944e52a9 100644
--- a/etc/non-ecs-schema.json
+++ b/etc/non-ecs-schema.json
@@ -11,12 +11,12 @@
     "winlog.event_data.OriginalFileName": "keyword",
     "winlog.event_data.GrantedAccess": "keyword",
     "winlog.event_data.CallTrace": "keyword",
-    "powershell.file.script_block_text": "text",
-	"winlog.event_data.CallerProcessName": "keyword",
-	"winlog.event_data.TargetSid": "keyword",
-	"winlog.logon.type": "keyword",
-	"winlog.event_data.TargetLogonId": "keyword",
-	"winlog.event_data.SubjectLogonId": "keyword"
+    "powershell.file.script_block_text": "text", 
+    "winlog.event_data.CallerProcessName": "keyword", 
+    "winlog.event_data.TargetSid": "keyword", 
+    "winlog.logon.type": "keyword",
+    "winlog.event_data.TargetLogonId": "keyword",
+    "winlog.event_data.SubjectLogonId": "keyword"
   },
   "filebeat-*": {
     "o365.audit.NewValue": "keyword"

From b92e57d4847d87a56e1f63ea1ac46c8db0c3d559 Mon Sep 17 00:00:00 2001
From: Samirbous <64742097+Samirbous@users.noreply.github.com>
Date: Sun, 17 Oct 2021 20:51:39 +0200
Subject: [PATCH 3/8] udpate ruleId

---
 rules/windows/persistence_remote_password_reset.toml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/rules/windows/persistence_remote_password_reset.toml b/rules/windows/persistence_remote_password_reset.toml
index 09564a24c93..cc86b96efe9 100644
--- a/rules/windows/persistence_remote_password_reset.toml
+++ b/rules/windows/persistence_remote_password_reset.toml
@@ -21,7 +21,7 @@ references = [
     "https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/master/Credential%20Access/remote_pwd_reset_rpc_mimikatz_postzerologon_target_DC.evtx",
 ]
 risk_score = 47
-rule_id = "ce64d965-6cb0-466d-b74f-8d2c76f47f05"
+rule_id = "2820c9c2-bcd7-4d6e-9eba-faf3891ba450"
 severity = "medium"
 tags = ["Elastic", "Host", "Windows", "Threat Detection", "Persistence"]
 timestamp_override = "event.ingested"

From c85573da31c52d16300fd2558a85a220bfa26d53 Mon Sep 17 00:00:00 2001
From: Samirbous <64742097+Samirbous@users.noreply.github.com>
Date: Wed, 20 Oct 2021 12:41:12 +0200
Subject: [PATCH 4/8] Update
 rules/windows/persistence_remote_password_reset.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
---
 rules/windows/persistence_remote_password_reset.toml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/rules/windows/persistence_remote_password_reset.toml b/rules/windows/persistence_remote_password_reset.toml
index cc86b96efe9..9d3f8d33bcd 100644
--- a/rules/windows/persistence_remote_password_reset.toml
+++ b/rules/windows/persistence_remote_password_reset.toml
@@ -6,8 +6,8 @@ updated_date = "2021/10/18"
 [rule]
 author = ["Elastic"]
 description = """
-Identifies attempt to remotely reset an account. Adversaries may manipulate account password to maintain access or evade
-password duration policies and preserve the life of compromised credentials.
+Identifies an attempt to reset an account password remotely. Adversaries may manipulate account passwords to maintain
+access or evade password duration policies and preserve compromised credentials.
 """
 false_positives = ["Legitimate remote accounts administration."]
 from = "now-9m"

From 8bcfd3079d34d2a5daec1fe02be1dd80484425f5 Mon Sep 17 00:00:00 2001
From: Samirbous <64742097+Samirbous@users.noreply.github.com>
Date: Wed, 20 Oct 2021 12:41:20 +0200
Subject: [PATCH 5/8] Update
 rules/windows/persistence_remote_password_reset.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
---
 rules/windows/persistence_remote_password_reset.toml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/rules/windows/persistence_remote_password_reset.toml b/rules/windows/persistence_remote_password_reset.toml
index 9d3f8d33bcd..42522ddfa44 100644
--- a/rules/windows/persistence_remote_password_reset.toml
+++ b/rules/windows/persistence_remote_password_reset.toml
@@ -9,7 +9,7 @@ description = """
 Identifies an attempt to reset an account password remotely. Adversaries may manipulate account passwords to maintain
 access or evade password duration policies and preserve compromised credentials.
 """
-false_positives = ["Legitimate remote accounts administration."]
+false_positives = ["Legitimate remote account administration."]
 from = "now-9m"
 index = ["winlogbeat-*", "logs-windows.*"]
 language = "eql"

From e6130f7519322d823b5fdbbfbb96b019ea63ed3c Mon Sep 17 00:00:00 2001
From: Samirbous <64742097+Samirbous@users.noreply.github.com>
Date: Wed, 20 Oct 2021 12:41:33 +0200
Subject: [PATCH 6/8] Update
 rules/windows/persistence_remote_password_reset.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
---
 rules/windows/persistence_remote_password_reset.toml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/rules/windows/persistence_remote_password_reset.toml b/rules/windows/persistence_remote_password_reset.toml
index 42522ddfa44..3d109f2d54b 100644
--- a/rules/windows/persistence_remote_password_reset.toml
+++ b/rules/windows/persistence_remote_password_reset.toml
@@ -29,7 +29,7 @@ type = "eql"
 
 query = '''
 sequence by host.id with maxspan=5m
-  [authentication where event.action=="logged-in" and
+  [authentication where event.action == "logged-in" and
     /* event 4624 need to be logged */
     winlog.logon.type:"Network" and event.outcome == "success" and source.ip != null and
     source.ip != "127.0.0.1" and source.ip != "::1"] by winlog.event_data.TargetLogonId

From 4fb017e70f15179bfdee896615dfe068727439d6 Mon Sep 17 00:00:00 2001
From: Samirbous <64742097+Samirbous@users.noreply.github.com>
Date: Wed, 20 Oct 2021 12:41:40 +0200
Subject: [PATCH 7/8] Update
 rules/windows/persistence_remote_password_reset.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
---
 rules/windows/persistence_remote_password_reset.toml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/rules/windows/persistence_remote_password_reset.toml b/rules/windows/persistence_remote_password_reset.toml
index 3d109f2d54b..77b0c1b89e6 100644
--- a/rules/windows/persistence_remote_password_reset.toml
+++ b/rules/windows/persistence_remote_password_reset.toml
@@ -31,7 +31,7 @@ query = '''
 sequence by host.id with maxspan=5m
   [authentication where event.action == "logged-in" and
     /* event 4624 need to be logged */
-    winlog.logon.type:"Network" and event.outcome == "success" and source.ip != null and
+    winlog.logon.type : "Network" and event.outcome == "success" and source.ip != null and
     source.ip != "127.0.0.1" and source.ip != "::1"] by winlog.event_data.TargetLogonId
    /* event 4724 need to be logged */
   [iam where event.action == "reset-password"] by winlog.event_data.SubjectLogonId

From 11eb1388122b0600f76b1f077a4b39e621cb5b38 Mon Sep 17 00:00:00 2001
From: Samirbous <64742097+Samirbous@users.noreply.github.com>
Date: Thu, 18 Nov 2021 10:22:02 +0100
Subject: [PATCH 8/8] Update
 rules/windows/persistence_remote_password_reset.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
---
 rules/windows/persistence_remote_password_reset.toml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/rules/windows/persistence_remote_password_reset.toml b/rules/windows/persistence_remote_password_reset.toml
index 77b0c1b89e6..4fde4683765 100644
--- a/rules/windows/persistence_remote_password_reset.toml
+++ b/rules/windows/persistence_remote_password_reset.toml
@@ -32,7 +32,7 @@ sequence by host.id with maxspan=5m
   [authentication where event.action == "logged-in" and
     /* event 4624 need to be logged */
     winlog.logon.type : "Network" and event.outcome == "success" and source.ip != null and
-    source.ip != "127.0.0.1" and source.ip != "::1"] by winlog.event_data.TargetLogonId
+    not source.ip in ("127.0.0.1", "::1")] by winlog.event_data.TargetLogonId
    /* event 4724 need to be logged */
   [iam where event.action == "reset-password"] by winlog.event_data.SubjectLogonId
 '''