HackTool - Windows Credential Editor (WCE) Execution

Detects the use of Windows Credential Editor (WCE)

Sigma rule (View on GitHub)

 1title: HackTool - Windows Credential Editor (WCE) Execution
 2id: 7aa7009a-28b9-4344-8c1f-159489a390df
 3status: test
 4description: Detects the use of Windows Credential Editor (WCE)
 5references:
 6    - https://www.ampliasecurity.com/research/windows-credentials-editor/
 7author: Florian Roth (Nextron Systems)
 8date: 2019-12-31
 9modified: 2023-02-04
10tags:
11    - attack.credential-access
12    - attack.t1003.001
13    - attack.s0005
14logsource:
15    category: process_creation
16    product: windows
17detection:
18    selection_1:
19        - Imphash:
20              - a53a02b997935fd8eedcb5f7abab9b9f
21              - e96a73c7bf33a464c510ede582318bf2
22        - Hashes|contains:  # Sysmon field hashes contains all types
23              - IMPHASH=a53a02b997935fd8eedcb5f7abab9b9f
24              - IMPHASH=e96a73c7bf33a464c510ede582318bf2
25    selection_2:
26        CommandLine|endswith: '.exe -S'
27        ParentImage|endswith: '\services.exe'
28    filter:
29        Image|endswith: '\clussvc.exe'
30    condition: 1 of selection_* and not filter
31falsepositives:
32    - Another service that uses a single -s command line switch
33level: critical

References

Related rules

to-top