In Windows a password can be set so that it will never expire. This is normaly not desirable, because a password must be changed every x period. This query detects when a useraccount is set to Account Password Never Expires.
A account that has as password that never exprided on and it has a weak password. That makes it vulnerable for Brute Force attacks.
IdentityDirectoryEvents
| where ActionType == "Account Password Never Expires changed"
| extend AdditionalInfo = parse_json(AdditionalFields)
| extend OriginalValue = AdditionalInfo.['FROM Account Password Never Expires']
| extend NewValue = AdditionalInfo.['TO Account Password Never Expires']
| where NewValue == true
| project
Timestamp,
AccountName,
AccountDomain,
OriginalValue,
NewValue,
ReportId,
DeviceName
IdentityDirectoryEvents
| where ActionType == "Account Password Never Expires changed"
| extend AdditionalInfo = parse_json(AdditionalFields)
| extend OriginalValue = AdditionalInfo.['FROM Account Password Never Expires']
| extend NewValue = AdditionalInfo.['TO Account Password Never Expires']
| where NewValue == true
| project
TimeGenerated,
AccountName,
AccountDomain,
OriginalValue,
NewValue,
ReportId,
DeviceName