Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionmediumexperimental

Password Set to Never Expire via WMI

Detects the use of wmic.exe to modify user account settings and explicitly disable password expiration.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Daniel Koifman (KoifSec)Created Wed Jul 307864a175-3654-4824-9f0d-f0da18ab27c0windows
Log Source
WindowsProcess Creation
ProductWindows← raw: windows
CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic
Detection Logic2 selectors
detection:
    selection_img:   # Example command simulated:  wmic  useraccount where name='guest' set passwordexpires=false
        - Image|endswith: '\wmic.exe'
        - OriginalFileName: 'wmic.exe'
    selection_cli:
        CommandLine|contains|all:
            - 'useraccount'
            - ' set '
            - 'passwordexpires'
            - 'false'
    condition: all of selection_*
False Positives

Legitimate administrative activity

References
1
Resolving title…
huntress.com
MITRE ATT&CK
Rule Metadata
Rule ID
7864a175-3654-4824-9f0d-f0da18ab27c0
Status
experimental
Level
medium
Type
Detection
Created
Wed Jul 30
Author
Daniel Koifman (KoifSec)
Path
rules/windows/process_creation/proc_creation_win_wmi_password_never_expire.yml
Raw Tags
attack.privilege-escalationattack.executionattack.persistenceattack.t1047attack.t1098
View on GitHub