Managed Sentinel – Alert 009

Alert IDMS-A009
Alert NameAD account with don't expire password
DescriptionIdentifies whenever a user account has the setting "Password Never Expires" in the user account properties selected.
This is indicated in Security event 4738 in the EventData item labeled UserAccountControl with an included value of %%2089
%%2089 resolves to "Don't Expire Password - Disabled".
Severity LevelLow
Threat IndicatorCredential Access
MITRE ATT&CK TacticsPersistence
Log sourcesWindows Security Event Logs
False PositiveService Accounts
Recommendations1. Validate the business requirements to justify such type of accounts
2. Consider changing user account password with a higher complexity
3. Perform a short investigation to understand any lateral movements of this account into your network.