Sigma rules · Windows Credential Editor

Home/Windows Credential Editor/Sigma rules

Sigma

Sigma rules for Windows Credential Editor

2 rules · scoped to tool · back to Windows Credential Editor

Direct rules mention this entity in their title or description. Related rules cover the techniques this entity is known to use.

◈

Detection rules

2 of 2

direct critical

HackTool - Windows Credential Editor (WCE) Execution

Detects the use of Windows Credential Editor (WCE), a popular post-exploitation tool used to extract plaintext passwords, hash, PIN code and Kerberos tickets from memory. It is often used by threat actors for credential dumping and lateral movement within compromised networks.

status test author Florian Roth (Nextron Systems) id 7aa7009a-28b9-4344-8c1f-159489a390df license Sigma · DRL-1.1

view Sigma YAML

title: HackTool - Windows Credential Editor (WCE) Execution
id: 7aa7009a-28b9-4344-8c1f-159489a390df
status: test
description: |
    Detects the use of Windows Credential Editor (WCE), a popular post-exploitation tool used to extract plaintext passwords, hash, PIN code and Kerberos tickets from memory.
    It is often used by threat actors for credential dumping and lateral movement within compromised networks.
references:
    - https://www.ampliasecurity.com/research/windows-credentials-editor/
author: Florian Roth (Nextron Systems)
date: 2019-12-31
modified: 2025-10-21
tags:
    - attack.credential-access
    - attack.t1003.001
    - attack.s0005
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        Image|endswith:
            - '\WCE.exe'
            - '\WCE64.exe'
    selection_hash:
        Hashes|contains:
            - 'IMPHASH=136F0A8572C058A96436C82E541E4C41'
            - 'IMPHASH=589657C64DDE88533186C39F82FA1F50'
            - 'IMPHASH=6BFE09EFCB4FFDE061EBDBAFC4DB84CF'
            - 'IMPHASH=7D490037BF450877E6D0287BDCFF8D2E'
            - 'IMPHASH=8AB93B061287C79F3088C5BC7E7D97ED'
            - 'IMPHASH=A53A02B997935FD8EEDCB5F7ABAB9B9F'
            - 'IMPHASH=BA434A7A729EEC20E136CA4C32D6C740'
            - 'IMPHASH=BD1D1547DA13C0FCB6C15E86217D5EB8'
            - 'IMPHASH=E96A73C7BF33A464C510EDE582318BF2'
    condition: 1 of selection_*
falsepositives:
    - Unknown
level: critical

direct critical

Windows Credential Editor Registry

Detects the use of Windows Credential Editor (WCE)

status test author Florian Roth (Nextron Systems) id a6b33c02-8305-488f-8585-03cb2a7763f2 license Sigma · DRL-1.1

view Sigma YAML

title: Windows Credential Editor Registry
id: a6b33c02-8305-488f-8585-03cb2a7763f2
status: test
description: Detects the use of Windows Credential Editor (WCE)
references:
    - https://www.ampliasecurity.com/research/windows-credentials-editor/
author: Florian Roth (Nextron Systems)
date: 2019-12-31
modified: 2021-11-27
tags:
    - attack.credential-access
    - attack.t1003.001
    - attack.s0005
logsource:
    category: registry_event
    product: windows
detection:
    selection:
        TargetObject|contains: Services\WCESERVICE\Start
    condition: selection
falsepositives:
    - Unknown
level: critical

Showing 1-2 of 2

Prev 1 Next

Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities

Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs

Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures

Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1

About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service

threatengine.sh · Open-source threat intelligence platform · 100+ authoritative sources · Every fact traces to its origin