Account Password Not Required Changed (UAC Bypass) – Microsoft Defender for Identity

# --- Query Metadata ---
# Human-readable name for the query. Will be displayed as the title.
name: Account Password Not Required Changed (UAC Bypass) – Microsoft Defender for Identity

# MITRE ATT&CK technique IDs
mitre_ids:
  - T1556

# Description of what the query does and its purpose.
description: |
  Detects when the “Password Not Required” flag is set or modified on a user account in Active Directory. This change weakens authentication controls and may allow account access without enforcing a password, potentially indicating misuse or attempts to bypass security policies and should be investigated.

# The author or team that created the query.
author: Kundan Kumar

# The required log sources to run this query successfully in Next-Gen SIEM.
log_sources:
  - Identity

# The CrowdStrike modules required to run this query.
cs_required_modules:
  - Identity

# Tags for filtering and categorization.
tags:
  - Detection

# --- Query Content ---
# The actual CrowdStrike Query Language (CQL) code.
# Using the YAML block scalar `|` allows for multi-line strings.
cql: |
  #Vendor="microsoft"
  | #event.dataset="defender-identity.IdentityDirectoryEvents"
  | event.action = "account password not required changed"
  | #event.outcome = success
  | table([@timestamp,user.name,Vendor.properties.TargetAccountUpn,"Vendor.properties.AdditionalFields.TARGET_OBJECT.USER",user.target.name])

# Explanation of the query.
# Using the YAML block scalar `|` allows for multi-line strings.
# Uses markdown for formatting on the webpage.
explanation: |
  Detects when the “Password Not Required” flag is set or modified on a user account in Active Directory. This change weakens authentication controls and may allow account access without enforcing a password, potentially indicating misuse or attempts to bypass security policies and should be investigated.