Saturday, May 17, 2025

Build+Break+Secure

Learn by building. Master by breaking. Secure by obsession.

Build+Break+Secure

Learn by building. Master by breaking. Secure by obsession.

Kusto Query LanguageMicrosoft Defender for EndpointMicrosoft SentinelSECURE

Detect When An Account Has Been Changed To Password To Never Expire

Wayne Andes 5 min read

Description

In Windows a password can be set so that it will never expire. This is normaly not desirable, because a password must be changed every x period. This KQL query detects when a useraccount is set to Account Password Never Expires.

Risk

A account that has as password that never exprided on and it has a weak password. That makes it vulnerable for Brute Force attacks.

Query

Microsoft Defender For Endpoint
Kusto
IdentityDirectoryEvents
| where ActionType == "Account Password Never Expires changed"
| extend AdditionalInfo = parse_json(AdditionalFields)
| extend OriginalValue = AdditionalInfo.['FROM Account Password Never Expires']
| extend NewValue = AdditionalInfo.['TO Account Password Never Expires']
| where NewValue == true
| project
     Timestamp,
     AccountName,
     AccountDomain,
     OriginalValue,
     NewValue,
     ReportId,
     DeviceName

Microsoft Sentinel
Kusto
IdentityDirectoryEvents
| where ActionType == "Account Password Never Expires changed"
| extend AdditionalInfo = parse_json(AdditionalFields)
| extend OriginalValue = AdditionalInfo.['FROM Account Password Never Expires']
| extend NewValue = AdditionalInfo.['TO Account Password Never Expires']
| where NewValue == true
| project
     TimeGenerated,
     AccountName,
     AccountDomain,
     OriginalValue,
     NewValue,
     ReportId,
     DeviceName

You May Also Like

List Malicious Network Traffic Detected From LAN To WAN By Fortinet

Wayne Andes

Detect SMB File Copies

Wayne Andes

List Ingestion Delays In CommonSecurityLog

Wayne Andes

Leave a Reply

Your email address will not be published. Required fields are marked *