36 строки
1.9 KiB
YAML
36 строки
1.9 KiB
YAML
id: 6c360107-f3ee-4b91-9f43-f4cfd90441cf
|
|
name: AD account with don't expire password - disabled
|
|
description: |
|
|
'Identifies whenever a user account has the setting "Password Never Expires" in the user account properties selected.
|
|
This is indicated in Security event 4738 in the EventData item labeled UserAccountControl with an included value of %%2089
|
|
%%2089 resolves to "Don't Expire Password - Disabled".'
|
|
severity: Low
|
|
requiredDataConnectors:
|
|
- connectorId: SecurityEvents
|
|
dataTypes:
|
|
- SecurityEvent
|
|
queryFrequency: 1d
|
|
queryPeriod: 1d
|
|
triggerOperator: gt
|
|
triggerThreshold: 0
|
|
tactics:
|
|
- Persistence
|
|
relevantTechniques:
|
|
- T1098
|
|
query: |
|
|
|
|
let timeframe = 1d;
|
|
SecurityEvent
|
|
| where TimeGenerated >= ago(timeframe)
|
|
| where EventID == 4738
|
|
// 2089 value indicates the Don't Expire Password value has been set
|
|
| where UserAccountControl has "%%2089"
|
|
| extend Value_2089 = iff(UserAccountControl has "%%2089","'Don't Expire Password' - Disabled", "Not Changed")
|
|
// 2050 indicates that the Password Not Required value is NOT set, this often shows up at the same time as a 2089 and is the recommended value. This value may not be in the event.
|
|
| extend Value_2050 = iff(UserAccountControl has "%%2050","'Password Not Required' - Disabled", "Not Changed")
|
|
// If value %%2082 is present in the 4738 event, this indicates the account has been configured to logon WITHOUT a password. Generally you should only see this value when an account is created and only in Event 4720: Account Creation Event.
|
|
| extend Value_2082 = iff(UserAccountControl has "%%2082","'Password Not Required' - Enabled", "Not Changed")
|
|
| project StartTimeUtc = TimeGenerated, EventID, Computer, TargetUserName, TargetDomainName, AccountType, UserAccountControl, Value_2089, Value_2050, Value_2082
|
|
| extend timestamp = StartTimeUtc, AccountCustomEntity = TargetUserName, HostCustomEntity = Computer
|
|
|