Rule Category

POLICY-OTHER --

Alert Message

POLICY-OTHER IBM Data Risk Manager user password reset attempt

Rule Explanation

The rule checks for requests to generate and retrieve a new password for an existing user by providing an an associated sessionId token. An attacker may use this method to take over administrative account control and to gain an API access token.

What To Look For

This rule fires on an attempt bypass authentication for an existing IBM Data Risk Manager user. The vulnerability is inherent to normal functionality of the software.

Known Usage

No public information

False Positives

Known false positives, with the described conditions

It is possible for this rule to alert in the normal process of a password reset.

Contributors

Cisco Talos Intelligence Group

MITRE ATT&CK Framework

Tactic: Privilege Escalation

Technique: Access Token Manipulation

For reference, see the MITRE ATT&CK vulnerability types here: https://attack.mitre.org

Additional Links

CVE Additional Information