WCE wceaux.dll Access
Detects wceaux.dll access while WCE pass-the-hash remote command execution on source host
Sigma rule (View on GitHub)
1title: WCE wceaux.dll Access
2id: 1de68c67-af5c-4097-9c85-fe5578e09e67
3status: test
4description: Detects wceaux.dll access while WCE pass-the-hash remote command execution on source host
5references:
6 - https://www.jpcert.or.jp/english/pub/sr/ir_research.html
7 - https://jpcertcc.github.io/ToolAnalysisResultSheet
8author: Thomas Patzke
9date: 2017-06-14
10modified: 2021-11-27
11tags:
12 - attack.credential-access
13 - attack.t1003
14 - attack.s0005
15logsource:
16 product: windows
17 service: security
18detection:
19 selection:
20 EventID:
21 - 4656
22 - 4658
23 - 4660
24 - 4663
25 ObjectName|endswith: '\wceaux.dll'
26 condition: selection
27falsepositives:
28 - Unknown
29level: critical
References
Related rules
- Access To Crypto Currency Wallets By Uncommon Applications
- Antivirus Password Dumper Detection
- Capture Credentials with Rpcping.exe
- Credential Dumping Tools Service Execution - Security
- Credential Dumping Tools Service Execution - System