HackTool - Windows Credential Editor (WCE) Execution

Nov 25, 2024 · attack.credential-access attack.t1003.001 attack.s0005 ·

Detects the use of Windows Credential Editor (WCE)

Sigma rule (View on GitHub)

 1title: HackTool - Windows Credential Editor (WCE) Execution
 2id: 7aa7009a-28b9-4344-8c1f-159489a390df
 3status: test
 4description: Detects the use of Windows Credential Editor (WCE)
 5references:
 6    - https://www.ampliasecurity.com/research/windows-credentials-editor/
 7author: Florian Roth (Nextron Systems)
 8date: 2019-12-31
 9modified: 2024-11-23
10tags:
11    - attack.credential-access
12    - attack.t1003.001
13    - attack.s0005
14logsource:
15    category: process_creation
16    product: windows
17detection:
18    selection_1:
19        Hashes|contains:  # Sysmon field hashes contains all types
20            - IMPHASH=a53a02b997935fd8eedcb5f7abab9b9f
21            - IMPHASH=e96a73c7bf33a464c510ede582318bf2
22    selection_2:
23        CommandLine|endswith: '.exe -S'
24        ParentImage|endswith: '\services.exe'
25    filter:
26        Image|endswith: '\clussvc.exe'
27    condition: 1 of selection_* and not filter
28falsepositives:
29    - Another service that uses a single -s command line switch
30level: critical

References

Amplia Security - Research - Windows Credentials Editor (WCE)

Amplia Security, Information Security Professional Services

Read More

HackTool - Windows Credential Editor (WCE) Execution

Sigma rule (View on GitHub)

References

Amplia Security - Research - Windows Credentials Editor (WCE)

Related rules