KRBTGT Password Reset Detection
Last updated on:
In this page
About the rule
Rule Type
Standard
Rule Description
Detects password reset activity performed on the highly sensitive Active Directory account KRBTGT
Severity
Critical
Rule Requirement
Criteria
Action1:
actionname = "Successful user account password change" AND (TARGETUSER = "krbtgt")
select Action1.HOSTNAME,Action1.MESSAGE,Action1.DOMAIN,Action1.TARGETDOMAIN,Action1.TARGETMACHINE,Action1.TARGETUSER,Action1.USERNAME,Action1.IENAME_FORMATTED,Action1.MEMBERGROUPSID,Action1.SECURITYID
Detection
Execution Mode
realtime
Log Sources
Active Directory


