The account password policy was changed in an anomalous way
Description
AlphaSOC has detected a password policy change that may indicate an attempt to
weaken security controls. This detection is particularly concerning if it
involves a new autonomous system number (ASN), a new user agent, or the
DeleteAccountPasswordPolicy
action. Such changes may be part of an adversary's
effort to gain easier access to compromised accounts.
Impact
Changes to password policies can significantly weaken an organization's security. Threat actors can exploit these changes to create weaker passwords, or remove account lockout policies. This can lead to easier unauthorized access and potential data breaches.
Severity
Severity | Condition |
---|---|
Informational | Password policy change detected |
Low | Unexpected ASN, user agent or use of the DeleteAccountPasswordPolicy action |
Medium | Multiple conditions occur simultaneously |
Investigation and Remediation
Investigate the details of the policy change, including who made the change and from where. Review logs for any suspicious activities. If the change was unauthorized, revert the password policy change and enforce password resets.
Known False Positives
- Legitimate administrative action to update password policies