Detectionmediumtest
Logged-On User Password Change Via Ksetup.EXE
Detects password change for the logged-on user's via "ksetup.exe"
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Nasreddine Bencherchali (Nextron Systems)Created Thu Apr 06c9783e20-4793-4164-ba96-d9ee483992c4windows
Log Source
WindowsProcess Creation
ProductWindows← raw: windows
CategoryProcess Creation← raw: process_creation
Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.
Detection Logic
Detection Logic2 selectors
detection:
selection_img:
- Image|endswith: '\ksetup.exe'
- OriginalFileName: 'ksetup.exe'
selection_cli:
CommandLine|contains: ' /ChangePassword '
condition: all of selection_*False Positives
Unknown
False positive likelihood has not been assessed. Additional context may be needed during triage.
References
MITRE ATT&CK
Tactics
Rule Metadata
Rule ID
c9783e20-4793-4164-ba96-d9ee483992c4
Status
test
Level
medium
Type
Detection
Created
Thu Apr 06
Path
rules/windows/process_creation/proc_creation_win_ksetup_password_change_user.yml
Raw Tags
attack.execution