Detection rules › Sigma
WCE wceaux.dll Access
Detects wceaux.dll access while WCE pass-the-hash remote command execution on source host
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Credential Access | T1003 OS Credential Dumping |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Security-Auditing | 4656 | A handle to an object was requested. |
| Security-Auditing | 4663 | An attempt was made to access an object. |
Stages and Predicates
Stage 1: selection
ObjectName|endswith: '\wceaux.dll'
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
ObjectName | ends_with |
|
Neighbors
Often fire together
Rules that target events appearing in the same incident timelines. They pattern-match on adjacent steps of the same TTP, so an alert from one is often paired with alerts from these. Useful for triage context and for assembling chained-detection rules.
- Azure AD Health Monitoring Agent Registry Keys Access
- Azure AD Health Service Agents Registry Keys Access
- Processes Accessing the Microphone and Webcam
- LSASS Access From Non System Account
- Potential Secure Deletion with SDelete
- Potentially Suspicious AccessMask Requested From LSASS
- SysKey Registry Keys Access
- Sysmon Channel Reference Deletion
Share event IDs (chain-detection candidates)
Rules that observe the same Windows event-ID pairs as this one. If you're authoring a multi-stage / sequence rule that spans these events, these are the existing detections that already cover one or both endpoints.
- Azure AD Health Monitoring Agent Registry Keys Access
- Azure AD Health Service Agents Registry Keys Access
- Processes Accessing the Microphone and Webcam
- LSASS Access From Non System Account
- Potential Secure Deletion with SDelete
- Potentially Suspicious AccessMask Requested From LSASS
- SysKey Registry Keys Access
- Windows Defender Exclusion Registry Key - Write Access Requested