heroui logo

WCE wceaux.dll Access

Sigma Rules

View Source
Summary
The rule detects unauthorized access to the 'wceaux.dll' file, which is a significant component leveraged in Windows Credential Editor (WCE) tools specifically designed for pass-the-hash attacks. When a remote command execution is initiated from the source host utilizing WCE, there will be attempts to access or manipulate this DLL. The detection mechanism is triggered by monitoring specific Event IDs (4656, 4658, 4660, and 4663) associated with file operations and checking if the 'ObjectName' suffix is 'wceaux.dll'. Given the critical nature of this detection, it flags potential misuse of legitimate administrative tools indicative of compromising user credentials, providing an insight into potential credential access attacks.
Categories
  • Windows
  • Endpoint
  • Infrastructure
Data Sources
  • File
  • Windows Registry
  • Process
Created: 2017-06-14