Managed Sentinel – Alert 009
| Alert ID | MS-A009 |
| Alert Name | AD account with don't expire password |
| Description | Identifies whenever a user account has the setting "Password Never Expires" in the user account properties selected. This is indicated in Security event 4738 in the EventData item labeled UserAccountControl with an included value of %%2089 %%2089 resolves to "Don't Expire Password - Disabled". |
| Severity Level | Low |
| Threat Indicator | Credential Access |
| MITRE ATT&CK Tactics | Persistence |
| Log sources | Windows Security Event Logs |
| False Positive | Service Accounts |
| Recommendations | 1. Validate the business requirements to justify such type of accounts 2. Consider changing user account password with a higher complexity 3. Perform a short investigation to understand any lateral movements of this account into your network. |