[Rule Tuning] Account Configured with Never-Expiring Password (#4459)

Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
2025-02-17 07:19:33 -03:00
parent 15177246cc
commit b951e86a55
1 changed files with 9 additions and 3 deletions
@@ -2,7 +2,7 @@
 creation_date = "2022/02/22"
 integration = ["system", "windows"]
 maturity = "production"
-updated_date = "2025/01/22"
+updated_date = "2025/02/12"
 min_stack_version = "8.14.0"
 min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."

@@ -80,10 +80,16 @@ type = "eql"
 query = '''
 any where host.os.type == "windows" and
 (
-  (event.code == "4738" and winlog.event_data.NewUACList == "USER_DONT_EXPIRE_PASSWORD") or
+  (
+    event.code == "4738" and winlog.event_data.NewUACList == "USER_DONT_EXPIRE_PASSWORD" and not user.id == "S-1-5-18"
+  ) or
  (
    event.code == "5136" and winlog.event_data.AttributeLDAPDisplayName == "userAccountControl" and
-    winlog.event_data.AttributeValue in ("66048", "66080")
+    winlog.event_data.AttributeValue in ("66048", "66080") and winlog.event_data.OperationType == "%%14674" and
+    not (
+      winlog.event_data.SubjectUserName : "*svc*" or
+      winlog.event_data.ObjectDN : "*Service*"
+    )
  )
 )
 '''