Password Set to Never Expire via WMI
Detects the use of wmic.exe to modify user account settings and explicitly disable password expiration.
Sigma rule (View on GitHub)
1title: Password Set to Never Expire via WMI
2id: 7864a175-3654-4824-9f0d-f0da18ab27c0
3status: experimental
4description: |
5 Detects the use of wmic.exe to modify user account settings and explicitly disable password expiration.
6references:
7 - https://www.huntress.com/blog/the-unwanted-guest
8author: "Daniel Koifman (KoifSec)"
9date: 2025-07-30
10tags:
11 - attack.privilege-escalation
12 - attack.execution
13 - attack.persistence
14 - attack.t1047
15 - attack.t1098
16logsource:
17 category: process_creation
18 product: windows
19detection:
20 selection_img: # Example command simulated: wmic useraccount where name='guest' set passwordexpires=false
21 - Image|endswith: '\wmic.exe'
22 - OriginalFileName: 'wmic.exe'
23 selection_cli:
24 CommandLine|contains|all:
25 - 'useraccount'
26 - ' set '
27 - 'passwordexpires'
28 - 'false'
29 condition: all of selection_*
30falsepositives:
31 - Legitimate administrative activity
32level: medium
References
-
Threat actors are enabling the built-in Windows Guest account to maintain persistence. Learn how they gain access and how to detect this activity.
Read More
Related rules
- ESXi Admin Permission Assigned To Account Via ESXCLI
- HackTool - CrackMapExec Execution Patterns
- MITRE BZAR Indicators for Execution
- Suspicious Autorun Registry Modified via WMI
- Suspicious Encoded Scripts in a WMI Consumer