Windows Credential Editor Registry

Aug 12, 2024 · attack.credential-access attack.t1003.001 attack.s0005 ·

Detects the use of Windows Credential Editor (WCE)

Sigma rule (View on GitHub)

 1title: Windows Credential Editor Registry
 2id: a6b33c02-8305-488f-8585-03cb2a7763f2
 3status: test
 4description: Detects the use of Windows Credential Editor (WCE)
 5references:
 6    - https://www.ampliasecurity.com/research/windows-credentials-editor/
 7author: Florian Roth (Nextron Systems)
 8date: 2019-12-31
 9modified: 2021-11-27
10tags:
11    - attack.credential-access
12    - attack.t1003.001
13    - attack.s0005
14logsource:
15    category: registry_event
16    product: windows
17detection:
18    selection:
19        TargetObject|contains: Services\WCESERVICE\Start
20    condition: selection
21falsepositives:
22    - Unknown
23level: critical

References

Amplia Security - Research - Windows Credentials Editor (WCE)

Amplia Security, Information Security Professional Services

Read More

Windows Credential Editor Registry

Sigma rule (View on GitHub)

References

Amplia Security - Research - Windows Credentials Editor (WCE)

Related rules