Managed Sentinel – Alert 009
|Alert Name||AD account with don't expire password|
|Description||Identifies whenever a user account has the setting "Password Never Expires" in the user account properties selected.|
This is indicated in Security event 4738 in the EventData item labeled UserAccountControl with an included value of %%2089
%%2089 resolves to "Don't Expire Password - Disabled".
|Threat Indicator||Credential Access|
|MITRE ATT&CK Tactics||Persistence |
|Log sources||Windows Security Event Logs|
|False Positive||Service Accounts|
|Recommendations||1. Validate the business requirements to justify such type of accounts|
2. Consider changing user account password with a higher complexity
3. Perform a short investigation to understand any lateral movements of this account into your network.