[Rule Tuning] Account Configured with Never-Expiring Password
s-bt opened this issue · comments
s-bt commented
Link to rule
Description
The rule does not work on german domain controllers as the events are also in german (please don't get my started on why anyone would install a server in non-english. Still want to help out ;))
Example Data
This is the query that's working for english and german event log entries:
event.action:"modified-user-account" and winlog.api:"wineventlog" and event.code:"4738" and
(message:"'Don't Expire Password' - Enabled" or message :"'Kennwort läuft nicht ab' - Aktiviert") and not user.id:"S-1-5-18"```
botelastic commented
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
botelastic commented
This has been closed due to inactivity. If you feel this is an error, please re-open and include a justifying comment.