Mass account password change

Hunt Hypothesis

A large-scale password change across multiple accounts may indicate an adversary preparing to deploy ransomware and disrupt network access. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential ransomware attacks before they execute.

KQL Query

DeviceProcessEvents 
| where ProcessCommandLine has_all('user', '/Domain', '/Active:Yes', '/PasswordChg:No') 
| summarize commands=count() by DeviceId, bin(Timestamp, 1d)  
| where commands > 200

Analytic Rule Definition

id: 4d8285d1-deac-4eb6-8cdf-267ed37ef39e
name: Mass account password change
description: |
  Prior to deploying Macaw ransomware in an organization, adversaries will change the password for hundreds or thousands of accounts in order to lock users out of the network and impeded recovery efforts.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - DeviceProcessEvents
tactics:
- Ransomware
query: |
  DeviceProcessEvents 
  | where ProcessCommandLine has_all('user', '/Domain', '/Active:Yes', '/PasswordChg:No') 
  | summarize commands=count() by DeviceId, bin(Timestamp, 1d)  
  | where commands > 200

Required Data Sources

Sentinel Table	Notes
`DeviceProcessEvents`	Ensure this data connector is enabled

MITRE ATT&CK Context

Tactic: Ransomware

References

[Source Query](https://github.com/Azure/Azure-Sentinel/blob/main/Hunting Queries/Microsoft 365 Defender/Campaigns/Macaw Ransomware/Mass account password change.yaml)

False Positive Guidance

Scenario: Scheduled Password Rotation via Identity Management Tool
Description: A legitimate password rotation job using tools like Microsoft Azure AD Password Protection or HashiCorp Vault is configured to rotate passwords for hundreds of accounts on a scheduled basis.
Filter/Exclusion: Check for event_id=4648 (Password Changed) with source_process_name containing AzureADPasswordProtection or vault-agent.
Scenario: Bulk User Account Creation with Default Passwords
Description: An admin task or script (e.g., using PowerShell or AWS Identity and Access Management (IAM) bulk creation) creates multiple user accounts with default or temporary passwords as part of onboarding.
Filter/Exclusion: Filter by event_id=4648 with subject_user_name matching known admin accounts or source_process_name containing PowerShell or awscli.
Scenario: Password Reset via Self-Service Portal
Description: Users reset their own passwords through a self-service portal (e.g., Okta, Microsoft Azure AD Self-Service Password Reset), which may result in a large number of password change events.
Filter/Exclusion: Filter by event_id=4648 with subject_user_name matching known user patterns or source_process_name containing Okta or AzureAD.
Scenario: System-Wide Password Policy Enforcement
Description: A system-wide password policy change (e.g., via Microsoft Intune, Cisco ISE, or Active Directory Group Policy) triggers a mass password reset across all users.
Filter/Exclusion: Filter by event_id=4648 with source_process_name containing GroupPolicy or Intune, or check for policy change events (`event_id=