Detectioncriticaltest

WCE wceaux.dll Access

Detects wceaux.dll access while WCE pass-the-hash remote command execution on source host

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Thomas PatzkeCreated Wed Jun 14Updated Thu Jan 301de68c67-af5c-4097-9c85-fe5578e09e67windows

Log Source

Windowssecurity

ProductWindows← raw: windows

Servicesecurity← raw: security

Detection Logic

detection:
    selection:
        EventID:
            - 4656
            - 4663
        ObjectName|endswith: '\wceaux.dll'
    condition: selection

False Positives

Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References

MITRE ATT&CK

Tactics

Techniques

Software

Rule Metadata

Rule ID

1de68c67-af5c-4097-9c85-fe5578e09e67

Status

test

Level

critical

Type

Detection

Created

Wed Jun 14

Modified

Thu Jan 30

Author

Path

rules/windows/builtin/security/win_security_mal_wceaux_dll.yml

Raw Tags

attack.credential-accessattack.t1003attack.s0005