KRBTGT Password Reset Detection

Last updated on:

About the rule

Rule Type

Standard

Rule Description

Detects password reset activity performed on the highly sensitive Active Directory account KRBTGT

Severity

Critical

Rule Requirement

Criteria

Action1: actionname = "Successful user account password change" AND (TARGETUSER = "krbtgt") select Action1.HOSTNAME,Action1.MESSAGE,Action1.DOMAIN,Action1.TARGETDOMAIN,Action1.TARGETMACHINE,Action1.TARGETUSER,Action1.USERNAME,Action1.IENAME_FORMATTED,Action1.MEMBERGROUPSID,Action1.SECURITYID

Detection

Execution Mode

realtime

Log Sources

Active Directory