Detection rule for Active Directory with the PASSWD_NOTREQD attribute

19 views
Skip to first unread message

Evair Silva

unread,
Mar 5, 2026, 12:56:12 AMMar 5
to Wazuh | Mailing List
Hello community,

Has anyone ever created, or knows if it's possible to create, a rule in Wazuh to detect when an account in Active Directory receives the PASSWD_NOTREQD property flag with attributes 0x0020 or 32?

I found some users in the environment who had the "PASSWD_NOTREQD" property enabled, so I would like to create a detection rule if this property is activated in any account.
.
Regards,

ES

Bony V John

unread,
Mar 5, 2026, 1:09:19 AMMar 5
to Wazuh | Mailing List
Hi,

Please allow me some time, I'm working on this and will get back to you with an update as soon as psossible.

Message has been deleted

Bony V John

unread,
Mar 5, 2026, 2:14:35 AMMar 5
to Wazuh | Mailing List
Hi,

If you need to create a custom detection rule for users in the environment who have the "PASSWD_NOTREQD" property enabled, you can do so by checking whether the raw Windows event log contains the value PASSWD_NOTREQD. If this value appears in the log, you can use the <match> tag in a child rule to detect it.

Example:

<match>PASSWD_NOTREQD</match>

Currently, I cannot confirm which default rule should be used as the parent rule for your custom rule because I do not have a similar event in my environment. If you can share the raw log of this event, I can check it from my end and help you create the appropriate custom rule based on your requirement. 

If PASSWD_NOTREQD does not appear directly in the raw log and instead appears as a hexadecimal or decimal value, you can replace it with that value in the <match> tag. Additionally, if this field is being correctly decoded by a decoder, you can also use the <field> tag to create the condition.  

You can also refer to the Wazuh rules syntax documentation for more details about custom rule creation.

If possible, please share a sample log of this event from the Wazuh Manager archives logs so we can test it on our end and assist you further.

Note: When enabling archives logging, it will start logging all events being ingested into the Wazuh Manager for analysis, which can increase storage usage quickly. After capturing the event, please disable the option to avoid running out of storage.

For capturing logs from archives.json, follow the steps below:

  1. Enable logall_json on Wazuh Manager

Update ossec.conf on the Wazuh Manager to enable logall_json.

  1. Reproduce the event

Trigger the event again to capture the relevant logs.

  1. Extract the relevant logs

Run the following command on the Wazuh Manager:

cat /var/ossec/logs/archives/archives.json | grep -iE "<related string>"

Replace <related string> with a relevant value from the log to filter the specific entries.

  1. Disable logall_json

After capturing the logs, disable logall_json in ossec.conf to prevent excessive storage usage.

Please share the sample log you extracted from archives.json with us.

Reply all
Reply to author
Forward
0 new messages