Title:Password Set to Never Expire via WMI Status:experimental Description:Detects the use of wmic.exe to modify user account settings and explicitly disable password expiration.
References: -https://www.huntress.com/blog/the-unwanted-guest Author: Daniel Koifman (KoifSec) Date: 2025-07-30 modified:None Tags:
-'attack.execution'
-'attack.persistence'
-'attack.t1047'
-'attack.t1098'
Logsource:
category: process_creation
product: windows
Detection: selection_img: Image|endswith:'\wmic.exe'OriginalFileName:'wmic.exe'selection_cli: CommandLine|contains|all: -'useraccount' -' set ' -'passwordexpires' -'false'
condition:all of selection_* Falsepositives:
-Legitimate administrative activity Level:medium
