Detects well-known credential dumping tools execution via service execution events
Detects the use of Windows Credential Editor (WCE)
Detects password dumper activity by monitoring remote thread creation EventID 8 in combination with the lsass.exe process as TargetImage.
The process in field Process is the malicious program. A single execution can lead to hundreds of events.
Detects wceaux.dll access while WCE pass-the-hash remote command execution on source host