Account configured with never Expiring Password

Detects the creation and modification of an account with the "Don’t Expire Password" option enabled. Attackers can abuse this misconfiguration to persist in the domain and maintain long-term access using compromised accounts with this property.

Rule type: query

Rule indices:

• winlogbeat-*
• logs-system.*

Severity: medium

Risk score: 47

Runs every: 5m

Searches indices from: now-9m (https://www.elastic.co/guide/en/elasticsearch/reference/current/common-options.html#date-math[Date Math format], see also Additional look-back time)

Maximum alerts per execution: 100

References:

• https://www.cert.ssi.gouv.fr/uploads/guide-ad.html#dont_expire
• https://web.archive.org/web/20230329171952/https://blog.menasec.net/2019/02/threat-hunting-26-persistent-password.html

Tags:

• Elastic
• Host
• Windows
• Threat Detection
• Persistence
• Active Directory

Version: 1

Rule authors:

• Elastic

Rule license: Elastic License v2

event.action:"modified-user-account" and event.code:"4738" and message:"'Don't Expire Password' - Enabled" and not user.id:"S-1-5-18"

Framework: MITRE ATT&CKTM

• Tactic:

  • Name: Persistence
  • ID: TA0003
  • Reference URL: https://attack.mitre.org/tactics/TA0003/

• Technique:

  • Name: Account Manipulation
  • ID: T1098
  • Reference URL: https://attack.mitre.org/techniques/T1098/