[Rule Tuning] Account Configured with Never-Expiring Password

Question

[Rule Tuning] Account Configured with Never-Expiring Password

s-bt opened this issue 4 months ago · comments

Link to rule

https://raw.githubusercontent.com/elastic/detection-rules/main/rules/windows/persistence_dontexpirepasswd_account.toml

Description

The rule does not work on german domain controllers as the events are also in german (please don't get my started on why anyone would install a server in non-english. Still want to help out ;))

Example Data

This is the query that's working for english and german event log entries:

event.action:"modified-user-account" and winlog.api:"wineventlog" and event.code:"4738" and
(message:"'Don't Expire Password' - Enabled" or message :"'Kennwort läuft nicht ab' - Aktiviert") and not user.id:"S-1-5-18"```

botelastic · Answer 1 · Sat Mar 23 2024 00:29:17 GMT+0800 (China Standard Time)

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

botelastic · Answer 2 · Sat Mar 30 2024 01:13:21 GMT+0800 (China Standard Time)

This has been closed due to inactivity. If you feel this is an error, please re-open and include a justifying comment.