Password Set to Never Expire via WMI
Detects the use of wmic.exe to modify user account settings and explicitly disable password expiration.
Sigma rule (View on GitHub)
1title: Password Set to Never Expire via WMI
2id: 7864a175-3654-4824-9f0d-f0da18ab27c0
3status: experimental
4description: |
5 Detects the use of wmic.exe to modify user account settings and explicitly disable password expiration.
6references:
7 - https://www.huntress.com/blog/the-unwanted-guest
8author: "Daniel Koifman (KoifSec)"
9date: 2025-07-30
10tags:
11 - attack.execution
12 - attack.persistence
13 - attack.t1047
14 - attack.t1098
15logsource:
16 category: process_creation
17 product: windows
18detection:
19 selection_img: # Example command simulated: wmic useraccount where name='guest' set passwordexpires=false
20 - Image|endswith: '\wmic.exe'
21 - OriginalFileName: 'wmic.exe'
22 selection_cli:
23 CommandLine|contains|all:
24 - 'useraccount'
25 - ' set '
26 - 'passwordexpires'
27 - 'false'
28 condition: all of selection_*
29falsepositives:
30 - Legitimate administrative activity
31level: medium
References
-
Threat actors are enabling the built-in Windows Guest account to maintain persistence. Learn how they gain access and how to detect this activity.
Read More
Related rules
- Blue Mockingbird - Registry
- Suspicious Autorun Registry Modified via WMI
- HackTool - CrackMapExec Execution
- Suspicious Encoded Scripts in a WMI Consumer
- Potential SSH Tunnel Persistence Install Using A Scheduled Task