Saturday, 9 February 2019

Threat Hunting #22 - Detecting user accounts set with password to never expire

Having a normal user account's password set to never expire is a bit abnormal, often it will be associated to a service account or to a bad practice of having domain admin like accounts set with Pwd to never expire.

Although it seems to be a trivial idea, I've learned that few pay attention to it (from a security point of view rather than compliance requirements). In this short post we'll be exploring 3 methods for hunting for similar events:

Method 1:

Using AD Explorer.exe you can hunt live using the following search filter:
  • UserAccountControl = 66048 (account enabled and password set to never expire)
  • CN exclude "Service Account" (if you have a different OU for SA, exclude them all so you are left with only normal user accounts)
  • PrimarygroupID=513 (user account)

Here are the values/descriptions for the AD attribute for userAccountControl

512 - Enable Account
514 - Disable account
544 - Account Enabled - Require user to change password at first logon
4096 - Workstation/server
66048 - Enabled, password never expires
66050 - Disabled, password never expires
262656 - Smart Card Logon Required
532480 - Domain controller

Method 2:

Using eventid 4738 "user account was changed" and filtering by Old UAC Value and New UAC Value attributes :

We are looking for the following combination values:

  •  Old UAC Value : 0x10  -> New UAC Value: 0x210
  •  Old UAC Value : 0x11 -> New UAC Value: 0x210
  •  Old UAC Value : 0x15 -> New UAC Value: 0x210

New and Olad UAC values meaning :

0x10: Account Enabled
0x11: Account Disabled
0x210: Account Enabled, Password Never Expires
0x15: Account Disabled, Passwod Not Reruied 
0x211: Account Disabled, Password Never Expires 

Example of an IBM Qradar AQL query:

select "SourceUserName", "TargetAccount", "ChangedAttributes" from events where eventid=4738 and not (UTF8(payload) imatches '(.*0x11.+0x210.*)|(.*0x15.+0x210.*)|(.*0x10.+0x210.*)||(.*0x211.+0x210.*)') last 90 days

Always verify the if TargetAccount is associated to a legit service or not. Pay particular attention when UAC changes from 0x10 to 0x210 (very rare).  Below an example of a matching legit event where the target account name was a service account.

Method 3:

Using sysmon Process Creation event or similar (EDR query language) look for processes with commandline value like "passwordchg''

CBR rule:  cmdline:passwordchg*


1 comment:

  1. To this end you want our task help organization. We have the most flexible determination of tasks. On this site, you can employ experienced journalists with college degrees and astounding abilities to create everything from your papers to your expositions. We offer papers, Get Your Assignments Done For You, proposals, lab reports, individual proclamations, insights projects, programming tasks, powerpoint introductions, and each and every other undertaking you might actually require.