HackTool - Windows Credential Editor (WCE) Execution
Detects the use of Windows Credential Editor (WCE), a popular post-exploitation tool used to extract plaintext passwords, hash, PIN code and Kerberos tickets from memory. It is often used by threat actors for credential dumping and lateral movement within compromised networks.
Sigma rule (View on GitHub)
1title: HackTool - Windows Credential Editor (WCE) Execution
2id: 7aa7009a-28b9-4344-8c1f-159489a390df
3status: test
4description: |
5 Detects the use of Windows Credential Editor (WCE), a popular post-exploitation tool used to extract plaintext passwords, hash, PIN code and Kerberos tickets from memory.
6 It is often used by threat actors for credential dumping and lateral movement within compromised networks.
7references:
8 - https://www.ampliasecurity.com/research/windows-credentials-editor/
9author: Florian Roth (Nextron Systems)
10date: 2019-12-31
11modified: 2025-10-21
12tags:
13 - attack.credential-access
14 - attack.t1003.001
15 - attack.s0005
16logsource:
17 category: process_creation
18 product: windows
19detection:
20 selection_img:
21 Image|endswith:
22 - '\WCE.exe'
23 - '\WCE64.exe'
24 selection_hash:
25 Hashes|contains:
26 - 'IMPHASH=136F0A8572C058A96436C82E541E4C41'
27 - 'IMPHASH=589657C64DDE88533186C39F82FA1F50'
28 - 'IMPHASH=6BFE09EFCB4FFDE061EBDBAFC4DB84CF'
29 - 'IMPHASH=7D490037BF450877E6D0287BDCFF8D2E'
30 - 'IMPHASH=8AB93B061287C79F3088C5BC7E7D97ED'
31 - 'IMPHASH=A53A02B997935FD8EEDCB5F7ABAB9B9F'
32 - 'IMPHASH=BA434A7A729EEC20E136CA4C32D6C740'
33 - 'IMPHASH=BD1D1547DA13C0FCB6C15E86217D5EB8'
34 - 'IMPHASH=E96A73C7BF33A464C510EDE582318BF2'
35 condition: 1 of selection_*
36falsepositives:
37 - Unknown
38level: critical
References
Related rules
- Credential Dumping Tools Service Execution - Security
- Credential Dumping Tools Service Execution - System
- Password Dumper Remote Thread in LSASS
- Windows Credential Editor Registry
- Potential LSASS Process Dump Via Procdump