user accounts can be used as service accounts and have their password set never to expire. this is a bad security practice that exposes the account to credential access attacks. for cases in which user accounts cannot be avoided, microsoft provides the group managed service accounts (gmsa) feature, which ensures that the account password is robust and changed regularly and automatically.

t1098
windows
elastic

Techniques

T1098

Sample rules

Account Configured with Never-Expiring Password

source: elastic
technicques:
- T1098

Description

Detects the creation and modification of an account with the “Don’t Expire Password” option Enabled. Attackers can abuse this misconfiguration to persist in the domain and maintain long-term access using compromised accounts with this property.

Detection logic

any where host.os.type == "windows" and
(
  (
    event.code == "4738" and winlog.event_data.NewUACList == "USER_DONT_EXPIRE_PASSWORD" and not user.id == "S-1-5-18"
  ) or
  (
    event.code == "5136" and winlog.event_data.AttributeLDAPDisplayName == "userAccountControl" and
    winlog.event_data.AttributeValue in ("66048", "66080") and winlog.event_data.OperationType == "%%14674" and
    not (
      winlog.event_data.SubjectUserName : "*svc*" or
      winlog.event_data.ObjectDN : "*Service*"
    )
  )
)