WCE wceaux.dll Access
Detects wceaux.dll access while WCE pass-the-hash remote command execution on source host
Sigma rule (View on GitHub)
1title: WCE wceaux.dll Access
2id: 1de68c67-af5c-4097-9c85-fe5578e09e67
3status: test
4description: Detects wceaux.dll access while WCE pass-the-hash remote command execution on source host
5references:
6 - https://www.jpcert.or.jp/english/pub/sr/ir_research.html
7 - https://jpcertcc.github.io/ToolAnalysisResultSheet
8author: Thomas Patzke
9date: 2017-06-14
10modified: 2025-01-30
11tags:
12 - attack.credential-access
13 - attack.t1003
14 - attack.s0005
15logsource:
16 product: windows
17 service: security
18detection:
19 selection:
20 EventID:
21 - 4656
22 - 4663
23 ObjectName|endswith: '\wceaux.dll'
24 condition: selection
25falsepositives:
26 - Unknown
27level: critical
References
-
Detecting Lateral Movement through Tracking Event Logs Many recent cyberattacks have been confirmed in which malware infects a host and in turn spreads to other hosts and internal servers, resultin...
Read More -
About this site Command Execution PsExec wmic schtasks wmiexec.vbs BeginX WinRM WinRS BITS Password and Hash Dump PWDump7 PWDumpX Quarks PwDump Mimikatz (Password and Hash Dump lsadump::sam) Mimika...
Read More
Related rules
- Suspicious SYSTEM User Process Creation
- HackTool - Windows Credential Editor (WCE) Execution
- Hacktool Execution - Imphash
- Antivirus Password Dumper Detection
- Access To Crypto Currency Wallets By Uncommon Applications