Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Rule Tuning] Account Configured with Never-Expiring Password #3397

Open
s-bt opened this issue Jan 22, 2024 · 4 comments · May be fixed by #4410
Open

[Rule Tuning] Account Configured with Never-Expiring Password #3397

s-bt opened this issue Jan 22, 2024 · 4 comments · May be fixed by #4410
Labels
backlog community Rule: Tuning tweaking or tuning an existing rule

Comments

@s-bt
Copy link

s-bt commented Jan 22, 2024

Link to rule

https://raw.githubusercontent.com/elastic/detection-rules/main/rules/windows/persistence_dontexpirepasswd_account.toml

Description

The rule does not work on german domain controllers as the events are also in german (please don't get my started on why anyone would install a server in non-english. Still want to help out ;))

Example Data

This is the query that's working for english and german event log entries:

event.action:"modified-user-account" and winlog.api:"wineventlog" and event.code:"4738" and
(message:"'Don't Expire Password' - Enabled" or message :"'Kennwort läuft nicht ab' - Aktiviert") and not user.id:"S-1-5-18"```
@s-bt s-bt added the Rule: Tuning tweaking or tuning an existing rule label Jan 22, 2024
@botelastic
Copy link

botelastic bot commented Mar 22, 2024

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

@botelastic botelastic bot added the stale 60 days of inactivity label Mar 22, 2024
@botelastic
Copy link

botelastic bot commented Mar 29, 2024

This has been closed due to inactivity. If you feel this is an error, please re-open and include a justifying comment.

@botelastic botelastic bot closed this as completed Mar 29, 2024
@Mikaayenson Mikaayenson added backlog Area: RAD and removed stale 60 days of inactivity labels Mar 30, 2024
@Mikaayenson Mikaayenson reopened this Mar 30, 2024
@w0rk3r
Copy link
Contributor

w0rk3r commented Jun 24, 2024

Thanks for the suggestion/contribution, but I think this may be a better modification to be done locally, as there are a lot of possibilities on languages and that can get complicated very quickly.

@w0rk3r w0rk3r closed this as completed Jun 24, 2024
@w0rk3r w0rk3r reopened this Jan 22, 2025
@w0rk3r
Copy link
Contributor

w0rk3r commented Jan 22, 2025

Hey @s-bt, I'm reopening this one as part of an effort for our rules to be language agnostic, I'll be submitting a PR shortly that will solve this and other cases, thanks for reporting it!

@w0rk3r w0rk3r linked a pull request Jan 22, 2025 that will close this issue
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
backlog community Rule: Tuning tweaking or tuning an existing rule
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

[Rule Tuning] Improve Detection Compatibility with Non-English Logs elastic/detection-rules
3 participants
@Mikaayenson @w0rk3r @s-bt