Account With Password Never Expires Enabled

# Detect when an account has been changed in order for the password to never expire ## Query Information #### Description In Windows a password can be set so that it will never expire. This is normaly not desirable, because a password must be changed every x period. This query detects when a useraccount is set to Account Password Never Expires. #### Risk A account that has as password that never exprided on and it has a weak password. That makes it vulnerable for Brute Force attacks. ## Defender For Endpoint ``` IdentityDirectoryEvents | where ActionType == "Account Password Never Expires changed" | extend AdditionalInfo = parse_json(AdditionalFields) | extend OriginalValue = AdditionalInfo.['FROM Account Password Never Expires'] | extend NewValue = AdditionalInfo.['TO Account Password Never Expires'] | where NewValue == true | project Timestamp, AccountName, AccountDomain, OriginalValue, NewValue, ReportId, DeviceName ``` ## Sentinel ``` IdentityDirectoryEvents | where ActionType == "Account Password Never Expires changed" | extend AdditionalInfo = parse_json(AdditionalFields) | extend OriginalValue = AdditionalInfo.['FROM Account Password Never Expires'] | extend NewValue = AdditionalInfo.['TO Account Password Never Expires'] | where NewValue == true | project TimeGenerated, AccountName, AccountDomain, OriginalValue, NewValue, ReportId, DeviceName ```

Explanation

The query detects when a user account has been changed to have a password that never expires. This is a risk because it can make the account vulnerable to brute force attacks, especially if the password is weak. The query retrieves information such as the timestamp, account name, account domain, original value, new value, report ID, and device name.

KQL Search

Account With Password Never Expires Enabled

Query

Explanation

Details

Actions