You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
title: Possible Remote Password Change Through SAMR
id: 7818b381-5eb1-4641-bea5-ef9e4cfb5951
description: Detects a possible remote NTLM hash change through SAMR API SamiChangePasswordUser() or SamSetInformationUser(). "Audit User Account Management" in "Advanced
Audit Policy Configuration" has to be enabled in your local security policy / GPO to see this events.
author: Dimitrios Slamaris
date: 2017/06/09
tags:
- attack.credential_access
- attack.t1212
logsource:
product: windows
service: security
detection:
samrpipe:
EventID: 5145
RelativeTargetName: samr
passwordchanged:
EventID: 4738
passwordchanged_filter:
PasswordLastSet: null
timeframe: 15s
condition: ( passwordchanged and not passwordchanged_filter ) | near samrpipe