AnalysisType: rule
Filename: crowdstrike_password_change.py
RuleID: "Crowdstrike.UserPasswordChange"
DisplayName: "Crowdstrike User Password Changed"
Enabled: true
LogTypes:
- Crowdstrike.EventStreams
Severity: Medium
Reports:
MITRE ATT&CK:
- TA0003:T1098.001 # Persistence: Additional Cloud Credentials
- TA0004:T1098.001 # Privilege Escalation: Additional Cloud Credentials
Description: A user's password was changed
DedupPeriodMinutes: 60
Threshold: 1
Runbook: Validate this action was authorized.
Tests:
- Name: Own Password Changed
ExpectedResult: true
Log:
{
"event": {
"AuditKeyValues": [
{
"Key": "target_uuid",
"ValueString": "e70e5306-4a83-4a9f-9b59-a78c304c438b"
},
{
"Key": "target_cid",
"ValueString": "fake_customer_id"
},
{
"Key": "actor_cid",
"ValueString": "fake_customer_id"
},
{
"Key": "trace_id",
"ValueString": "f4f8b3233619bdf49ea2a2d108ce39d8"
},
{
"Key": "target_name",
"ValueString": "peregrin.took@hobbiton.co"
},
{
"Key": "action_target_name",
"ValueString": "peregrin.took@hobbiton.co"
}
],
"OperationName": "changePassword",
"ServiceName": "CrowdStrike Authentication",
"Success": true,
"UTCTimestamp": "2024-07-22 16:15:36.535000000",
"UserId": "peregrin.took@hobbiton.co",
"UserIp": "1.1.1.1"
},
"metadata": {
"customerIDString": "fake_customer_id",
"eventCreationTime": "2024-07-22 16:15:36.535000000",
"eventType": "AuthActivityAuditEvent",
"offset": 341447,
"version": "1.0"
}
}
- Name: Password Changed for Different User
ExpectedResult: true
Log:
{
"event": {
"AuditKeyValues": [
{
"Key": "target_uuid",
"ValueString": "e70e5306-4a83-4a9f-9b59-a78c304c438b"
},
{
"Key": "target_cid",
"ValueString": "fake_customer_id"
},
{
"Key": "actor_cid",
"ValueString": "fake_customer_id"
},
{
"Key": "trace_id",
"ValueString": "f4f8b3233619bdf49ea2a2d108ce39d8"
},
{
"Key": "target_name",
"ValueString": "peregrin.took@hobbiton.co"
},
{
"Key": "action_target_name",
"ValueString": "peregrin.took@hobbiton.co"
}
],
"OperationName": "changePassword",
"ServiceName": "CrowdStrike Authentication",
"Success": true,
"UTCTimestamp": "2024-07-22 16:15:36.535000000",
"UserId": "bilbo.baggins@hobbiton.co",
"UserIp": "1.1.1.1"
},
"metadata": {
"customerIDString": "fake_customer_id",
"eventCreationTime": "2024-07-22 16:15:36.535000000",
"eventType": "AuthActivityAuditEvent",
"offset": 341447,
"version": "1.0"
}
}
- Name: Unsuccessful Password Change Attempt
ExpectedResult: false
Log:
{
"event": {
"AuditKeyValues": [
{
"Key": "target_uuid",
"ValueString": "e70e5306-4a83-4a9f-9b59-a78c304c438b"
},
{
"Key": "target_cid",
"ValueString": "fake_customer_id"
},
{
"Key": "actor_cid",
"ValueString": "fake_customer_id"
},
{
"Key": "trace_id",
"ValueString": "f4f8b3233619bdf49ea2a2d108ce39d8"
},
{
"Key": "target_name",
"ValueString": "peregrin.took@hobbiton.co"
},
{
"Key": "action_target_name",
"ValueString": "peregrin.took@hobbiton.co"
}
],
"OperationName": "changePassword",
"ServiceName": "CrowdStrike Authentication",
"Success": false,
"UTCTimestamp": "2024-07-22 16:15:36.535000000",
"UserId": "bilbo.baggins@hobbiton.co",
"UserIp": "1.1.1.1"
},
"metadata": {
"customerIDString": "fake_customer_id",
"eventCreationTime": "2024-07-22 16:15:36.535000000",
"eventType": "AuthActivityAuditEvent",
"offset": 341447,
"version": "1.0"
}
}
- Name: Unrelated Event
ExpectedResult: false
Log:
{
"event": {
"AuditKeyValues": [
{
"Key": "target_uuid",
"ValueString": "e70e5306-4a83-4a9f-9b59-a78c304c438b"
},
{
"Key": "target_cid",
"ValueString": "fake_customer_id"
},
{
"Key": "actor_cid",
"ValueString": "fake_customer_id"
},
{
"Key": "trace_id",
"ValueString": "652fc606f369ef3105925197b34f2c54"
},
{
"Key": "target_name",
"ValueString": "peregrin.took@hobbiton.co"
},
{
"Key": "action_target_name",
"ValueString": "peregrin.took@hobbiton.co"
}
],
"OperationName": "userAuthenticate",
"ServiceName": "CrowdStrike Authentication",
"Success": true,
"UTCTimestamp": "2024-07-22 15:50:16.923000000",
"UserId": "peregrin.took@hobbiton.co",
"UserIp": "1.1.1.1"
},
"metadata": {
"customerIDString": "fake_customer_id",
"eventCreationTime": "2024-07-22 15:50:16.923000000",
"eventType": "AuthActivityAuditEvent",
"offset": 341329,
"version": "1.0"
}
}