Detect when an account has been changed in order for the password to never expire
Account With Password Never Expires Enabled
Query
IdentityDirectoryEvents
| where ActionType == "Account Password Never Expires changed"
| extend AdditionalInfo = parse_json(AdditionalFields)
| extend OriginalValue = AdditionalInfo.['FROM Account Password Never Expires'], NewValue = AdditionalInfo.['TO Account Password Never Expires'], AccountSid = AdditionalFields.TargetAccountSid
| where NewValue == true
| project-reorder Timestamp, TargetAccountUpn, AccountSid, OriginalValue, NewValue, ReportId, DeviceNameAbout this query
Detect when an account has been changed in order for the password to never expire
Query Information
MITRE ATT&CK Technique(s)
| Technique ID | Title | Link |
|---|---|---|
| T1098 | Account Manipulation | https://attack.mitre.org/techniques/T1098/ |
Description
In Active Directory a password can be set so that it will never expire. This is normaly not desirable, because a password should be changed every x period. This query detects when a useraccount is set to Account Password Never Expires.
Risk
A account that has as password that never exprided on and it has a weak password. That makes it vulnerable for Brute Force attacks.
Defender XDR
Sentinel
IdentityDirectoryEvents
| where ActionType == "Account Password Never Expires changed"
| extend AdditionalInfo = parse_json(AdditionalFields)
| extend OriginalValue = AdditionalInfo.['FROM Account Password Never Expires'], NewValue = AdditionalInfo.['TO Account Password Never Expires'], AccountSid = AdditionalFields.TargetAccountSid
| where NewValue == true
| project-reorder TimeGenerated, TargetAccountUpn, AccountSid, OriginalValue, NewValue, ReportId, DeviceName
Explanation
This query is designed to detect changes in user account settings within an Active Directory environment, specifically when an account's password is set to never expire. This situation is generally undesirable because it can lead to security vulnerabilities, such as susceptibility to brute force attacks, especially if the password is weak.
Here's a simple breakdown of what the query does:
-
Data Source: The query looks at events in the
IdentityDirectoryEventstable, which logs changes to user accounts. -
Filter Criteria: It filters for events where the action type is "Account Password Never Expires changed." This means it is specifically looking for changes to the setting that controls whether a password will expire.
-
Extract Information: The query extracts additional information from the event details, such as:
- The original and new values of the "Account Password Never Expires" setting.
- The account's security identifier (SID).
-
Condition: It further filters the results to only include cases where the new value of the setting is
true, indicating that the password has been set to never expire. -
Output: The query organizes the output to show relevant details such as the timestamp of the change, the user account's unique principal name (UPN), the account SID, the original and new values of the setting, the report ID, and the device name where the change was made.
This query is useful for security monitoring, allowing administrators to identify and investigate accounts that have been configured with non-expiring passwords, which could pose a security risk.
