← Back to Explore
sigmamediumHunting
Password Set to Never Expire via WMI
Detects the use of wmic.exe to modify user account settings and explicitly disable password expiration.
Detection Query
selection_img:
- Image|endswith: \wmic.exe
- OriginalFileName: wmic.exe
selection_cli:
CommandLine|contains|all:
- useraccount
- " set "
- passwordexpires
- "false"
condition: all of selection_*
Author
Daniel Koifman (KoifSec)
Created
2025-07-30
Data Sources
windowsProcess Creation Events
Platforms
windows
Tags
attack.privilege-escalationattack.executionattack.persistenceattack.t1047attack.t1098
Raw Content
title: Password Set to Never Expire via WMI
id: 7864a175-3654-4824-9f0d-f0da18ab27c0
status: experimental
description: |
Detects the use of wmic.exe to modify user account settings and explicitly disable password expiration.
references:
- https://www.huntress.com/blog/the-unwanted-guest
author: "Daniel Koifman (KoifSec)"
date: 2025-07-30
tags:
- attack.privilege-escalation
- attack.execution
- attack.persistence
- attack.t1047
- attack.t1098
logsource:
category: process_creation
product: windows
detection:
selection_img: # Example command simulated: wmic useraccount where name='guest' set passwordexpires=false
- Image|endswith: '\wmic.exe'
- OriginalFileName: 'wmic.exe'
selection_cli:
CommandLine|contains|all:
- 'useraccount'
- ' set '
- 'passwordexpires'
- 'false'
condition: all of selection_*
falsepositives:
- Legitimate administrative activity
level: medium