Windows Credential Editor Registry
Detects the use of Windows Credential Editor (WCE)
Sigma rule (View on GitHub)
1title: Windows Credential Editor Registry
2id: a6b33c02-8305-488f-8585-03cb2a7763f2
3status: test
4description: Detects the use of Windows Credential Editor (WCE)
5references:
6 - https://www.ampliasecurity.com/research/windows-credentials-editor/
7author: Florian Roth (Nextron Systems)
8date: 2019/12/31
9modified: 2021/11/27
10tags:
11 - attack.credential_access
12 - attack.t1003.001
13 - attack.s0005
14logsource:
15 category: registry_event
16 product: windows
17detection:
18 selection:
19 TargetObject|contains: Services\WCESERVICE\Start
20 condition: selection
21falsepositives:
22 - Unknown
23level: critical
References
Related rules
- Mimikatz Use
- PowerShell Get-Process LSASS in ScriptBlock
- Mimikatz Command Line With Ticket Export
- Transferring Files with Credential Data via Network Shares - Zeek
- Abnormal LSASS Child and Parent Process Relationships