Windows Credential Editor Registry

Detects the use of Windows Credential Editor (WCE)

Sigma rule (View on GitHub)

 1title: Windows Credential Editor Registry
 2id: a6b33c02-8305-488f-8585-03cb2a7763f2
 3status: test
 4description: Detects the use of Windows Credential Editor (WCE)
 5references:
 6    - https://www.ampliasecurity.com/research/windows-credentials-editor/
 7author: Florian Roth (Nextron Systems)
 8date: 2019/12/31
 9modified: 2021/11/27
10tags:
11    - attack.credential_access
12    - attack.t1003.001
13    - attack.s0005
14logsource:
15    category: registry_event
16    product: windows
17detection:
18    selection:
19        TargetObject|contains: Services\WCESERVICE\Start
20    condition: selection
21falsepositives:
22    - Unknown
23level: critical

References

Related rules

to-top