Techniques
Sample rules
Windows Valid Account With Never Expires Password
- source: splunk
- technicques:
- T1489
Description
The following analytic identifies net.exe updating user account policies for password requirement with non-expiring password. This technique was seen in several adversaries and malware like Azorult to maintain the foothold (persistence), gaining privilege escalation, defense evasion and possible for lateral movement for specific users or created user account on the targeted host. This TTP detections is a good pivot to see further what other events that users executes on the machines.
Detection logic
| tstats `security_content_summariesonly` values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_net` AND Processes.process="* accounts *" AND Processes.process="* /maxpwage:unlimited" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_valid_account_with_never_expires_password_filter`