Windows Event ID 4935 – Microsoft-Windows-Security-Auditing: Maximum Daily Password Reset Attempts Exceeded

Start by examining the specific details of Event ID 4935 to understand the scope and source of the password reset attempts.

1. Open Event Viewer → Windows Logs → Security
2. Filter for Event ID 4935 using the following PowerShell command:

Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4935} -MaxEvents 50 | Format-Table TimeCreated, Id, LevelDisplayName, Message -Wrap

3. Examine the event details for:
• Target account name and domain
• Source workstation or IP address
• Timestamp patterns indicating frequency
• Associated logon type information
4. Cross-reference with Event ID 4625 (failed logon attempts) to identify coordinated attacks:

Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4625,4935; StartTime=(Get-Date).AddHours(-24)} | Sort-Object TimeCreated

Verify and adjust the password reset attempt thresholds to balance security with usability.

1. Open Local Security Policy or Group Policy Management Console
2. Navigate to Computer Configuration → Windows Settings → Security Settings → Account Policies → Account Lockout Policy
3. Review the following settings:
• Account lockout threshold
• Account lockout duration
• Reset account lockout counter after
4. Check the registry for password reset specific settings:

Get-ItemProperty -Path "HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters" -Name "MaximumPasswordAge" -ErrorAction SilentlyContinue

5. For domain environments, verify Group Policy settings:

gpresult /h C:\temp\gpresult.html

6. Review Azure AD Connect settings if using hybrid identity:

Get-ADSyncScheduler

Analyze the network source of password reset attempts to identify potential threats or compromised systems.

1. Extract source IP addresses from Event ID 4935 entries:

$Events = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4935; StartTime=(Get-Date).AddDays(-7)}
$Events | ForEach-Object {
    $XML = [xml]$_.ToXml()
    [PSCustomObject]@{
        TimeCreated = $_.TimeCreated
        TargetUserName = $XML.Event.EventData.Data | Where-Object {$_.Name -eq 'TargetUserName'} | Select-Object -ExpandProperty '#text'
        WorkstationName = $XML.Event.EventData.Data | Where-Object {$_.Name -eq 'WorkstationName'} | Select-Object -ExpandProperty '#text'
        IpAddress = $XML.Event.EventData.Data | Where-Object {$_.Name -eq 'IpAddress'} | Select-Object -ExpandProperty '#text'
    }
} | Group-Object IpAddress | Sort-Object Count -Descending

2. Check Windows Firewall logs for additional context:

Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-Windows Firewall With Advanced Security/Firewall'; StartTime=(Get-Date).AddHours(-24)} | Where-Object {$_.Message -like '*password*' -or $_.Message -like '*reset*'}

3. Review IIS logs if running web-based password reset portals:

Get-Content "C:\inetpub\logs\LogFiles\W3SVC1\*.log" | Select-String "password|reset" | Select-Object -Last 50

4. Use netstat to check for suspicious connections:

netstat -an | findstr :443

Set up proactive monitoring to detect and respond to password reset abuse patterns before they impact users.

1. Create a custom Windows Event Forwarding subscription for Event ID 4935:

<Subscription xmlns="http://schemas.microsoft.com/2006/03/windows/events/subscription">
    <SubscriptionId>PasswordResetMonitoring</SubscriptionId>
    <SubscriptionType>SourceInitiated</SubscriptionType>
    <Description>Monitor excessive password reset attempts</Description>
    <Enabled>true</Enabled>
    <Uri>http://schemas.microsoft.com/wbem/wsman/1/windows/EventLog</Uri>
    <Query><![CDATA[
        <QueryList>
            <Query Id="0">
                <Select Path="Security">*[System[(EventID=4935)]]</Select>
            </Query>
        </QueryList>
    ]]></Query>
</Subscription>

2. Create a PowerShell script for automated alerting:

# Save as Monitor-PasswordResetAbuse.ps1
$Events = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4935; StartTime=(Get-Date).AddMinutes(-15)}
if ($Events.Count -gt 5) {
    $AlertMessage = "High volume of password reset attempts detected: $($Events.Count) events in last 15 minutes"
    Write-EventLog -LogName Application -Source "Password Reset Monitor" -EventId 9999 -EntryType Warning -Message $AlertMessage
    # Send email alert
    Send-MailMessage -To "admin@company.com" -From "monitor@company.com" -Subject "Password Reset Alert" -Body $AlertMessage -SmtpServer "mail.company.com"
}

3. Schedule the monitoring script using Task Scheduler:

$Action = New-ScheduledTaskAction -Execute "PowerShell.exe" -Argument "-File C:\Scripts\Monitor-PasswordResetAbuse.ps1"
$Trigger = New-ScheduledTaskTrigger -RepetitionInterval (New-TimeSpan -Minutes 15) -RepetitionDuration (New-TimeSpan -Days 365) -At (Get-Date)
$Settings = New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -StartWhenAvailable
Register-ScheduledTask -TaskName "Password Reset Monitoring" -Action $Action -Trigger $Trigger -Settings $Settings -User "SYSTEM"

4. Configure Windows Event Log size to ensure retention:

wevtutil sl Security /ms:1073741824

Deploy comprehensive account protection measures and establish procedures for handling password reset abuse incidents.

1. Enable Advanced Threat Analytics (ATA) or Microsoft Defender for Identity monitoring:

# Check if Defender for Identity sensor is installed
Get-Service -Name "AATPSensor" -ErrorAction SilentlyContinue

2. Implement Conditional Access policies for password reset operations (Azure AD environments):

# Connect to Azure AD
Connect-AzureAD
# Review existing Conditional Access policies
Get-AzureADMSConditionalAccessPolicy | Where-Object {$_.Conditions.Applications.IncludeApplications -contains "All"}

3. Configure account lockout exemptions for service accounts:

# Add service accounts to lockout exemption group
$ServiceAccounts = @("svc-backup", "svc-monitoring", "svc-app")
foreach ($Account in $ServiceAccounts) {
    Add-ADGroupMember -Identity "Lockout Exempt Accounts" -Members $Account -ErrorAction SilentlyContinue
}

4. Create incident response procedures:

# Automated account protection script
function Protect-CompromisedAccount {
    param([string]$Username)
    
    # Disable account temporarily
    Disable-ADAccount -Identity $Username
    
    # Force password reset
    Set-ADUser -Identity $Username -ChangePasswordAtLogon $true
    
    # Log the action
    Write-EventLog -LogName Application -Source "Security Response" -EventId 8888 -EntryType Information -Message "Account $Username protected due to password reset abuse"
    
    # Notify security team
    Send-MailMessage -To "security@company.com" -From "automated-response@company.com" -Subject "Account Protection: $Username" -Body "Account $Username has been temporarily disabled due to excessive password reset attempts." -SmtpServer "mail.company.com"
}

5. Implement multi-factor authentication for password reset operations:

# Check MFA status for users experiencing reset abuse
Get-MsolUser | Where-Object {$_.StrongAuthenticationRequirements.State -ne "Enforced"} | Select-Object UserPrincipalName, @{Name="MFAStatus";Expression={$_.StrongAuthenticationRequirements.State}}