Account configured with never Expiring Passwordedit

Detects the creation and modification of an account with the "Don’t Expire Password" option enabled. Attackers can abuse this misconfiguration to persist in the domain and maintain long-term access using compromised accounts with this property.

Rule type: query

Rule indices:

  • winlogbeat-*
  • logs-system.*

Severity: medium

Risk score: 47

Runs every: 5m

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

  • Elastic
  • Host
  • Windows
  • Threat Detection
  • Persistence
  • Active Directory

Version: 1

Rule authors:

  • Elastic

Rule license: Elastic License v2

Rule queryedit

event.action:"modified-user-account" and event.code:"4738" and message:"'Don't Expire Password' - Enabled" and not user.id:"S-1-5-18"

Framework: MITRE ATT&CKTM