Windows Credential Editor Registry
Detects the use of Windows Credential Editor (WCE)
Sigma rule (View on GitHub)
1title: Windows Credential Editor Registry
2id: a6b33c02-8305-488f-8585-03cb2a7763f2
3status: test
4description: Detects the use of Windows Credential Editor (WCE)
5references:
6 - https://www.ampliasecurity.com/research/windows-credentials-editor/
7author: Florian Roth (Nextron Systems)
8date: 2019-12-31
9modified: 2021-11-27
10tags:
11 - attack.credential-access
12 - attack.t1003.001
13 - attack.s0005
14logsource:
15 category: registry_event
16 product: windows
17detection:
18 selection:
19 TargetObject|contains: Services\WCESERVICE\Start
20 condition: selection
21falsepositives:
22 - Unknown
23level: critical
References
Related rules
- Credential Dumping Tools Service Execution - Security
- Credential Dumping Tools Service Execution - System
- Password Dumper Remote Thread in LSASS
- APT31 Judgement Panda Activity
- Cred Dump Tools Dropped Files