From b951e86a559febd2cea9a1d211b60326f784c712 Mon Sep 17 00:00:00 2001
From: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
Date: Mon, 17 Feb 2025 07:19:33 -0300
Subject: [PATCH] [Rule Tuning] Account Configured with Never-Expiring Password
 (#4459)

Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
---
 .../persistence_dontexpirepasswd_account.toml        | 12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

diff --git a/rules/windows/persistence_dontexpirepasswd_account.toml b/rules/windows/persistence_dontexpirepasswd_account.toml
index 2f4688477..9356aa5d9 100644
--- a/rules/windows/persistence_dontexpirepasswd_account.toml
+++ b/rules/windows/persistence_dontexpirepasswd_account.toml
@@ -2,7 +2,7 @@
 creation_date = "2022/02/22"
 integration = ["system", "windows"]
 maturity = "production"
-updated_date = "2025/01/22"
+updated_date = "2025/02/12"
 min_stack_version = "8.14.0"
 min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
 
@@ -80,10 +80,16 @@ type = "eql"
 query = '''
 any where host.os.type == "windows" and
 (
-  (event.code == "4738" and winlog.event_data.NewUACList == "USER_DONT_EXPIRE_PASSWORD") or
+  (
+    event.code == "4738" and winlog.event_data.NewUACList == "USER_DONT_EXPIRE_PASSWORD" and not user.id == "S-1-5-18"
+  ) or
   (
     event.code == "5136" and winlog.event_data.AttributeLDAPDisplayName == "userAccountControl" and
-    winlog.event_data.AttributeValue in ("66048", "66080")
+    winlog.event_data.AttributeValue in ("66048", "66080") and winlog.event_data.OperationType == "%%14674" and
+    not (
+      winlog.event_data.SubjectUserName : "*svc*" or
+      winlog.event_data.ObjectDN : "*Service*"
+    )
   )
 )
 '''