This detection rule identifies instances where user accounts in Active Directory are configured with the "Don't Expire Password" option enabled. This setting can pose a significant security risk as attackers may exploit non-expiring passwords to maintain prolonged access to compromised accounts. The rule detects both the creation and modification of such accounts, focusing on relevant Windows event codes such as event code 4738, which denotes a user account change, and 5136, which indicates that an attribute (userAccountControl) has been updated. The rule aims to enhance domain security by alerting on configurations that allow for potential persistence by malicious actors. Given that the practice of enabling non-expiring passwords is considered poor cybersecurity hygiene, especially for privileged accounts, the rule emphasizes investigation into any occurrences of this configuration and includes actionable steps for response and remediation.