Detects the creation and modification of an account with the "Don’t Expire Password" option enabled. Attackers can abuse this misconfiguration to persist in the domain and maintain long-term access using compromised accounts with this property.
Rule type: query
Risk score: 47
Runs every: 5m
Maximum alerts per execution: 100
- Threat Detection
- Active Directory
Rule license: Elastic License v2
event.action:"modified-user-account" and event.code:"4738" and message:"'Don't Expire Password' - Enabled" and not user.id:"S-1-5-18"
Framework: MITRE ATT&CKTM