Detectionmediumtest

Suspicious Computer Machine Password by PowerShell

The Reset-ComputerMachinePassword cmdlet changes the computer account password that the computers use to authenticate to the domain controllers in the domain. You can use it to reset the password of the local computer.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

François HubautCreated Mon Feb 21e3818659-5016-4811-a73c-dde4679169d2windows

Log Source

WindowsPowerShell Module

ProductWindows← raw: windows

CategoryPowerShell Module← raw: ps_module

Definition

0ad03ef1-f21b-4a79-8ce8-e6900c54b65b

Detection Logic

detection:
    selection:
        ContextInfo|contains: 'Reset-ComputerMachinePassword'
    condition: selection

False Positives

Administrator PowerShell scripts

References

MITRE ATT&CK

Tactics

TA0004 · Privilege Escalation TA0003 · Persistence TA0005 · Defense Evasion TA0001 · Initial Access

Techniques

T1078 · Valid Accounts

Rule Metadata

Rule ID

e3818659-5016-4811-a73c-dde4679169d2

Status

test

Level

medium

Type

Detection

Created

Mon Feb 21

Author

François Hubaut

Path

rules/windows/powershell/powershell_module/posh_pm_susp_reset_computermachinepassword.yml

Raw Tags

attack.privilege-escalationattack.persistenceattack.defense-evasionattack.initial-accessattack.t1078

View on GitHub