WCE wceaux.dll Access

 1title: WCE wceaux.dll Access
 2id: 1de68c67-af5c-4097-9c85-fe5578e09e67
 3status: test
 4description: Detects wceaux.dll access while WCE pass-the-hash remote command execution on source host
 5references:
 6    - https://www.jpcert.or.jp/english/pub/sr/ir_research.html
 7    - https://jpcertcc.github.io/ToolAnalysisResultSheet
 8author: Thomas Patzke
 9date: 2017/06/14
10modified: 2021/11/27
11tags:
12    - attack.credential_access
13    - attack.t1003
14    - attack.s0005
15logsource:
16    product: windows
17    service: security
18detection:
19    selection:
20        EventID:
21            - 4656
22            - 4658
23            - 4660
24            - 4663
25        ObjectName|endswith: '\wceaux.dll'
26    condition: selection
27falsepositives:
28    - Unknown
29level: critical

References

• Studies/Research

  

  Detecting Lateral Movement through Tracking Event Logs Many recent cyberattacks have been confirmed in which malware infects a host and in turn spreads to other hosts and internal servers, resultin...

  
  Read More

• Tool Analysis Result Sheet

  About this site Command Execution PsExec wmic schtasks wmiexec.vbs BeginX WinRM WinRS BITS Password and Hash Dump PWDump7 PWDumpX Quarks PwDump Mimikatz (Password and Hash Dump lsadump::sam) Mimika...

  
  Read More

Related rules

• Credentials In Files
• Kerberos Network Traffic RC4 Ticket Encryption
• Possible Impacket SecretDump Remote Activity - Zeek
• Suspicious History File Operations
• Password Dumper Activity on LSASS