Rule Info
Name
User Account Password Property Manipulation Via WMIC
Author
Swachchhanda Shrawan Poudel, Christian Burkard
Description
Detects manipulation of password-related properties on user accounts via WMIC against
the Win32_UserAccount class. This covers direct password changes as well as policy
modifications such as disabling password expiry or preventing password changes,
all common persistence techniques to maintain access to a backdoor account.
Date
2026-07-01 00:00:00
Modified
None
Id
7e4c2b9a-1d38-4f5e-a7c6-9b0d3e81f247
Tags
attack.persistence attack.privilege-escalation attack.t1098
Type
Nextron Sigma feed only (private)
