Detectioncriticaltest

Windows Credential Editor Registry

Detects the use of Windows Credential Editor (WCE)

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Florian Roth (Nextron Systems)Created Tue Dec 31Updated Sat Nov 27a6b33c02-8305-488f-8585-03cb2a7763f2windows

Log Source

WindowsRegistry Event

ProductWindows← raw: windows

CategoryRegistry Event← raw: registry_event

Events for Windows Registry modifications including key creation, modification, and deletion.

Detection Logic

detection:
    selection:
        TargetObject|contains: Services\WCESERVICE\Start
    condition: selection

False Positives

Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References

MITRE ATT&CK

Tactics

Sub-techniques

Software

Rule Metadata

Rule ID

a6b33c02-8305-488f-8585-03cb2a7763f2

Status

test

Level

critical

Type

Detection

Created

Tue Dec 31

Modified

Sat Nov 27

Author

Path

rules/windows/registry/registry_event/registry_event_hack_wce_reg.yml

Raw Tags

attack.credential-accessattack.t1003.001attack.s0005