Detection rules › Sigma
HackTool - Windows Credential Editor (WCE) Execution
Detects the use of Windows Credential Editor (WCE), a popular post-exploitation tool used to extract plaintext passwords, hash, PIN code and Kerberos tickets from memory. It is often used by threat actors for credential dumping and lateral movement within compromised networks.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Credential Access | T1003.001 OS Credential Dumping: LSASS Memory |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Sysmon | 1 | Process creation |
Stages and Predicates
Stage 1: 1 of selection_img
or:
Image|endswith: '\WCE.exe'
Image|endswith: '\WCE64.exe'
Stage 2: 1 of selection_hash
or:
Hashes|contains: 'IMPHASH=136F0A8572C058A96436C82E541E4C41'
Hashes|contains: 'IMPHASH=589657C64DDE88533186C39F82FA1F50'
Hashes|contains: 'IMPHASH=6BFE09EFCB4FFDE061EBDBAFC4DB84CF'
Hashes|contains: 'IMPHASH=7D490037BF450877E6D0287BDCFF8D2E'
Hashes|contains: 'IMPHASH=8AB93B061287C79F3088C5BC7E7D97ED'
Hashes|contains: 'IMPHASH=A53A02B997935FD8EEDCB5F7ABAB9B9F'
Hashes|contains: 'IMPHASH=BA434A7A729EEC20E136CA4C32D6C740'
Hashes|contains: 'IMPHASH=BD1D1547DA13C0FCB6C15E86217D5EB8'
Hashes|contains: 'IMPHASH=E96A73C7BF33A464C510EDE582318BF2'
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
Hashes | match |
|
Image | ends_with |
|