Merge PR SigmaHQ#5568 from @Koifman - Password Never Expires Set via WMI

Koifman · phantinuss · web-flow · commit 73444cac35bb · 2025-07-31T12:28:06.000+02:00
new: Password Never Expires Set via WMI
---------

Co-authored-by: phantinuss &lt;79651203+phantinuss@users.noreply.github.com&gt;
diff --git a/rules/windows/process_creation/proc_creation_win_wmi_password_never_expire.yml b/rules/windows/process_creation/proc_creation_win_wmi_password_never_expire.yml
@@ -0,0 +1,31 @@
+title: Password Set to Never Expire via WMI
+id: 7864a175-3654-4824-9f0d-f0da18ab27c0
+status: experimental
+description: |
+    Detects the use of wmic.exe to modify user account settings and explicitly disable password expiration.
+references:
+    - https://www.huntress.com/blog/the-unwanted-guest
+author: "Daniel Koifman (KoifSec)"
+date: 2025-07-30
+tags:
+    - attack.execution
+    - attack.persistence
+    - attack.t1047
+    - attack.t1098
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection_img:   # Example command simulated:  wmic  useraccount where name='guest' set passwordexpires=false
+        - Image|endswith: '\wmic.exe'
+        - OriginalFileName: 'wmic.exe'
+    selection_cli:
+        CommandLine|contains|all:
+            - 'useraccount'
+            - ' set '
+            - 'passwordexpires'
+            - 'false'
+    condition: all of selection_*
+falsepositives:
+    - Legitimate administrative activity
+level: medium
