LoFP / another service that uses a single -s command line switch

Techniques

Sample rules

HackTool - Windows Credential Editor (WCE) Execution

source: sigma
technicques:
- t1003
- t1003.001

Description

Detects the use of Windows Credential Editor (WCE)

Detection logic

condition: 1 of selection_* and not filter
filter:
  Image|endswith: \clussvc.exe
selection_1:
- Imphash:
  - a53a02b997935fd8eedcb5f7abab9b9f
  - e96a73c7bf33a464c510ede582318bf2
- Hashes|contains:
  - IMPHASH=a53a02b997935fd8eedcb5f7abab9b9f
  - IMPHASH=e96a73c7bf33a464c510ede582318bf2
selection_2:
  CommandLine|endswith: .exe -S
  ParentImage|endswith: \services.exe