Techniques
Sample rules
HackTool - Windows Credential Editor (WCE) Execution
- source: sigma
- technicques:
- t1003
- t1003.001
Description
Detects the use of Windows Credential Editor (WCE)
Detection logic
condition: 1 of selection_* and not filter
filter:
Image|endswith: \clussvc.exe
selection_1:
Hashes|contains:
- IMPHASH=a53a02b997935fd8eedcb5f7abab9b9f
- IMPHASH=e96a73c7bf33a464c510ede582318bf2
selection_2:
CommandLine|endswith: .exe -S
ParentImage|endswith: \services.exe