Detection rules › Kusto Query Language

AD account with Don't Expire Password

Author: Microsoft Security Research
Source: upstream

'Identifies whenever a user account has the setting "Password Never Expires" in the user account properties selected. This is indicated in Security event 4738 in the EventData item labeled UserAccountControl with an included value of %%2089. %%2089 resolves to "Don't Expire Password - Enabled".'

MITRE ATT&CK coverage

Tactic	Techniques
Persistence	`T1098` Account Manipulation
Privilege Escalation	`T1098` Account Manipulation

Event coverage

Provider	Event ID	Title
Security-Auditing	4738	A user account was changed.

Stages and Predicates

Stage 1: `source`

<union>

Stage 2: `union`

union of 2 branches

AD account with Don't Expire Password

MITRE ATT&CK coverage

Event coverage

Stages and Predicates

Stage 1: `source`

Stage 2: `union`

Stage 3: `extend`

Stage 4: `extend`

Stage 5: `project-away`

Keyboard Shortcuts

AD account with Don't Expire Password

MITRE ATT&CK coverage

Event coverage

Stages and Predicates

Stage 1: source

Stage 2: union

Stage 3: extend

Stage 4: extend

Stage 5: project-away

Stage 1: `source`

Stage 2: `union`

Stage 3: `extend`

Stage 4: `extend`

Stage 5: `project-away`