Elastic Security Detection Rules

Account Configured with Never-Expiring Password

Last updated 9 days ago on 2025-01-22
Created 3 years ago on 2022-02-22

About

Detects the creation and modification of an account with the "Don't Expire Password" option Enabled. Attackers can abuse this misconfiguration to persist in the domain and maintain long-term access using compromised accounts with this property.
Tags
Domain: EndpointOS: WindowsUse Case: Threat DetectionTactic: PersistenceData Source: Active DirectoryUse Case: Active Directory MonitoringData Source: SystemLanguage: eql
Severity
medium
Risk Score
47
MITRE ATT&CK™

Persistence (TA0003)(opens in a new tab or window)

Account Manipulation (T1098)(opens in a new tab or window)

False Positive Examples
User accounts can be used as service accounts and have their password set never to expire. This is a bad security practice that exposes the account to Credential Access attacks. For cases in which user accounts cannot be avoided, Microsoft provides the Group Managed Service Accounts (gMSA) feature, which ensures that the account password is robust and changed regularly and automatically.
License
Elastic License v2(opens in a new tab or window)

Definition

Rule Type
Event Correlation Rule
Integration Pack
Prebuilt Security Detection Rules
Index Patterns
winlogbeat-*logs-system.*logs-windows.*
Related Integrations

system(opens in a new tab or window)

windows(opens in a new tab or window)

Query
any where host.os.type == "windows" and
(
  (event.code == "4738" and winlog.event_data.NewUACList == "USER_DONT_EXPIRE_PASSWORD") or
  (
    event.code == "5136" and winlog.event_data.AttributeLDAPDisplayName == "userAccountControl" and
    winlog.event_data.AttributeValue in ("66048", "66080")
  )
)

Install detection rules in Elastic Security

Detect Account Configured with Never-Expiring Password in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(opens in a new tab or window).