Net User Logon Time Restriction and Account Lockout

Rule Info

Name
Net User Logon Time Restriction and Account Lockout
Author
Swachchhanda Shrawan Poudel (Nextron Systems)
Description
Detects usage of net user command to set logon time restrictions and disable accounts, a technique used by wipers to prevent user logins and lock out accounts, hindering recovery efforts.
Reference
https://securelist.com/tr/lotus-wiper/119472/
Date
2026-05-04 00:00:00
Modified
None
Id
d5e6f7a8-b9c0-1d2e-3f4a-5b6c7d8e9f0a
Tags
attack.impact attack.t1531 detection.emerging-threats
Type
Nextron Sigma feed only (private)

Rule History

THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022