Rule for change password user AD

133 views
Skip to first unread message

German DiCasas

unread,
Jan 24, 2025, 5:50:48 PMJan 24
to Wazuh | Mailing List
Hi team,

I have a problem here . I have wazuh 4.8.2-1 and all work fine. The issue is with a rule to detect the change of the password of a user on AD.

The eventID related is 4738. And at the moment that you set the new password the variable PasswordLastSet of 4738 is set with the date (example 24/01/2025 07:04:22 p.m.). I have this rule and work ok

<rule id="120065" level="15">
      <if_sid>60110</if_sid>
      <field name="win.system.eventID">^4738$</field>
      <field name="win.eventdata.passwordLastSet" type="pcre2">\d+/\d+/\d+ \d+:\d+:\d+</field>
      <description>User "$(win.eventdata.subjectUserName)" change password </description>
    </rule>

That eventID and that PasswordLastSet  are exactly the same if you change the password or uncheck the checkbox "user must change password at next logon". Same log, yes.

If you use "Reset Password..." and you leave the default check in the checkbox "user must change password at next logon" you will have two events id 4738 . The first like the previous and the second  is the same but PasswordLastSet is set with %%1794 . 

I want to detect those last two in their order since if one happens after the other it indicates that I used the "Reset Password..." process. That is, I want to detect in a rule that those two events happened in that order and taking into account those properties on PasswordLastSet that in the first one it was the date and in the other %%1794.

I cant use if_matched_sid o if_matched since you need at least 2 and the PasswordLastSet change over each one over 4738. So ....

This is the order:
1° 4738 with PasswordLastSet=date
2° 4738 with PasswordLastSet=%%1794
 If that order happend so an user use  "Reset Password..." of the AD

Let me know how can I detect that oder, if can be done.. hope

Regards,

German

Md. Nazmur Sakib

unread,
Jan 26, 2025, 11:26:38 PMJan 26
to Wazuh | Mailing List

Hi German,

It is not possible the exact correlation you want. But based on your explanation I would like to propose this solution.

I believe only when you use "Reset Password..." and you leave the default check in the checkbox "user must change password at next logon" will always trigger this PasswordLastSet=%%1794 and PasswordLastSet=date will trigger in any password change condition.

So considering PasswordLastSet=%%1794 as a unique condition for password reset we can create a rule to trigger an alert.



Based on that we can write a new rule like this

<rule id="120066" level="15">

      <if_sid>60110</if_sid>

      <field name="win.system.eventID">^4738$</field>

      <field name="win.eventdata.passwordLastSet">\p\p1794</field>

      <description>User "$(win.eventdata.subjectUserName)" reset password </description>

</rule>


Ref:
Rules Syntax

Regular Expression Syntax


Let me know if you need further assistance on this.

German DiCasas

unread,
Jan 28, 2025, 1:16:30 PMJan 28
to Wazuh | Mailing List
Thanks but will not work since  4738 is something that complete over any change if wash not change 

And,  related to that , there are any way that a rule can read a file? or read a cdb list with lot of parameters? I mean list cdb test.cdb 
user1,011:10
user1,029:4738


<list field="user" lookup="match_key_value" check_value="10">etc/lists/test</list>

I need find the key on the cdb list like user,agent.id and then find the value, it is posible? I mean, find the key like this format user,agent.id that depends of each log.  Is it possible to find a key that is composed of event variables? the same with the value... 10:user1,029

Thanks. 

Md. Nazmur Sakib

unread,
Jan 29, 2025, 1:25:30 AMJan 29
to Wazuh | Mailing List

The agent ID field is not available for rule creation as this is considered as a log header and the rule engine has no information about it.


You can use the agent.name filed in the rule creation but you need to define it as <hostname>

<hostname>agent_name</hostname>

Saying so, you can use a list of parameters for rules using the CDB list.

The CDB list can contain keys and values. Values can be repeated, but the keys must be unique. You can add entries to a CDB list in key:value pairs or key: only.

With a key, we can determine the presence or absence of a field in a given list.
Check this document to learn more:

https://documentation.wazuh.com/current/user-manual/ruleset/cdb-list.html

You can also check these use cases to understand how the  CDB list works.

https://documentation.wazuh.com/current/proof-of-concept-guide/audit-commands-run-by-user.html#wazuh-server
https://documentation.wazuh.com/current/user-manual/capabilities/malware-detection/cdb-lists-threat-intelligence.html


Let me know if you need any further information.

German DiCasas

unread,
Jan 29, 2025, 10:35:20 AMJan 29
to Wazuh | Mailing List
Thanks.. solved

regards

German

Reply all
Reply to author
Forward
0 new messages