Saturday, 9 February 2019

Threat Hunting #22 - Detecting user accounts set with password to never expire



Having a normal user account's password set to never expire is a bit abnormal, often it will be associated to a service account or to a bad practice of having domain admin like accounts set with Pwd to never expire.

Although it seems to be a trivial idea, I've learned that few pay attention to it (from a security point of view rather than compliance requirements). In this short post we'll be exploring 3 methods for hunting for similar events:

Method 1:

Using AD Explorer.exe you can hunt live using the following search filter:
  • UserAccountControl = 66048 (account enabled and password set to never expire)
  • CN exclude "Service Account" (if you have a different OU for SA, exclude them all so you are left with only normal user accounts)
  • PrimarygroupID=513 (user account)

Here are the values/descriptions for the AD attribute for userAccountControl

512 - Enable Account
514 - Disable account
544 - Account Enabled - Require user to change password at first logon
4096 - Workstation/server
66048 - Enabled, password never expires
66050 - Disabled, password never expires
66080 - Enabled, DONT_EXPIRE_PASSWORD - PASSWD_NOTREQD
262656 - Smart Card Logon Required
532480 - Domain controller

Method 2:

Using eventid 4738 "user account was changed" and filtering by Old UAC Value and New UAC Value attributes :

We are looking for the following combination values:

  •  Old UAC Value : 0x10  -> New UAC Value: 0x210
  •  Old UAC Value : 0x11 -> New UAC Value: 0x210
  •  Old UAC Value : 0x15 -> New UAC Value: 0x210

New and Olad UAC values meaning :

0x10: Account Enabled
0x11: Account Disabled
0x210: Account Enabled, Password Never Expires
0x15: Account Disabled, Passwod Not Reruied 
0x211: Account Disabled, Password Never Expires 


Example of an IBM Qradar AQL query:

select "SourceUserName", "TargetAccount", "ChangedAttributes" from events where eventid=4738 and not (UTF8(payload) imatches '(.*0x11.+0x210.*)|(.*0x15.+0x210.*)|(.*0x10.+0x210.*)||(.*0x211.+0x210.*)') last 90 days

Always verify the if TargetAccount is associated to a legit service or not. Pay particular attention when UAC changes from 0x10 to 0x210 (very rare).  Below an example of a matching legit event where the target account name was a service account.



Method 3:

Using sysmon Process Creation event or similar (EDR query language) look for processes with commandline value like "passwordchg''

CBR rule:  cmdline:passwordchg*


References:

https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4738



No comments:

Post a Comment