SOLVED

Account Password was changed

%3CLINGO-SUB%20id%3D%22lingo-sub-251326%22%20slang%3D%22en-US%22%3EAccount%20Password%20was%20changed%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-251326%22%20slang%3D%22en-US%22%3E%3CP%3EATA%20has%20on%20activities%26nbsp%3BAccount%20password%20was%20changed.%26nbsp%3B%20Is%20there%20a%20way%20to%20know%20what%20account%20password%20change%20password%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-251326%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAdvanced%20Threat%20Analytics%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-265612%22%20slang%3D%22en-US%22%3ERe%3A%20Account%20Password%20was%20changed%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-265612%22%20slang%3D%22en-US%22%3E%3CP%3EI%20am%20not%20aware%20of%20false%20positives%20in%20logical%20activities%2C%20only%20on%20alerts.%3C%2FP%3E%0A%3CP%3Elogical%20activities%20represent%20facts.%3C%2FP%3E%0A%3CP%3EPassword%20changed%20means%20we%20so%20the%20password%20update%20time%20for%20this%20attribute%20changed.%3C%2FP%3E%0A%3CP%3EIt%20can%20happen%20if%20the%20user%20changed%20his%20own%20password%20or%20if%20it%20was%20changed%20for%20them%2C%26nbsp%3B%3C%2FP%3E%0A%3CP%3Ebut%20it's%20unrelated%20to%20trying%20to%20authenticate.%3C%2FP%3E%0A%3CP%3EAlso%2C%20trying%20to%20change%20a%20password%20without%20success%20should%20not%20trigger%20this%20password%20change%20activity.%3C%2FP%3E%0A%3CP%3EAlso%2C%20we%20don't%20have%20ACLs%20on%20logical%20activities%2C%20so%20I%20have%20no%20idea%20how%20come%20one%20of%26nbsp%3B%20you%20can%20see%20the%20activity%20and%20one%20can't%2C%20unless%20you%20are%20using%20different%20filters%20or%20something%20like%20that.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EI%20suggest%20to%20check%20the%20date%20in%20AD%20for%20that%20user%20using%20the%26nbsp%3BPwd-Last-Set%20attribute%20and%20see%20if%20it%20corresponds%20to%20what%20ATA%20is%20reporting.%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fdesktop%2Fadschema%2Fa-pwdlastset%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fdesktop%2Fadschema%2Fa-pwdlastset%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EEli.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-265581%22%20slang%3D%22en-US%22%3ERe%3A%20Account%20Password%20was%20changed%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-265581%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Eli%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20for%20the%20answer%3B%20could%20I%20clarify%20this%20please%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIn%20ATA%2C%20it%20shows%20this%20activity%20for%20a%20user%20who%20is%20adamant%20they%20did%20not%20change%20their%20password.%20It%20happened%20at%208%3A16%20yesterday%20(01%2F10%2F18)%20morning.%20However%2C%20this%20activity%20does%20not%20show%20to%20me%20when%20I%20search%20for%20that%20user%3B%20just%20to%20them%20when%20they%20search%20for%20themselves%20on%20ATA.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECan%20you%20please%20elaborate%20why%20this%20might%20occur%3B%20is%20it%20a%20false%20positive%20(they%20got%20their%20password%20wrong%20but%20this%20shows%20as%20the%20following%20activity%20to%20both%20me%20and%20him)%20or%20has%20someone%20tried%20to%20change%20his%20password%20but%20not%20him%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESimon%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-251974%22%20slang%3D%22en-US%22%3ERe%3A%20Account%20Password%20was%20changed%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-251974%22%20slang%3D%22en-US%22%3E%3CP%3ENo%2C%20This%20activity%20is%20calculated%20based%20on%20the%20password%20update%20time.%3C%2FP%3E%0A%3CP%3EWhen%20we%20see%20the%20update%20time%20changes%2C%20we%20know%20the%20password%20changed%2C%20but%20we%20can't%20get%20the%20account%20that%20changed%20it.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Occasional Contributor

ATA has on activities Account password was changed.  Is there a way to know what account password change password?

 

3 Replies
Highlighted
Best Response confirmed by charles burch (Occasional Contributor)
Solution

No, This activity is calculated based on the password update time.

When we see the update time changes, we know the password changed, but we can't get the account that changed it.

Highlighted

Hi Eli

 

Thanks for the answer; could I clarify this please?

 

In ATA, it shows this activity for a user who is adamant they did not change their password. It happened at 8:16 yesterday (01/10/18) morning. However, this activity does not show to me when I search for that user; just to them when they search for themselves on ATA.

 

Can you please elaborate why this might occur; is it a false positive (they got their password wrong but this shows as the following activity to both me and him) or has someone tried to change his password but not him?

 

Thanks

 

Simon

Highlighted

I am not aware of false positives in logical activities, only on alerts.

logical activities represent facts.

Password changed means we so the password update time for this attribute changed.

It can happen if the user changed his own password or if it was changed for them, 

but it's unrelated to trying to authenticate.

Also, trying to change a password without success should not trigger this password change activity.

Also, we don't have ACLs on logical activities, so I have no idea how come one of  you can see the activity and one can't, unless you are using different filters or something like that.

 

I suggest to check the date in AD for that user using the Pwd-Last-Set attribute and see if it corresponds to what ATA is reporting.

https://docs.microsoft.com/en-us/windows/desktop/adschema/a-pwdlastset

 

Eli.