← Back to SOC feed Coverage →

HackTool - Windows Credential Editor (WCE) Execution

sigma CRITICAL SigmaHQ
T1003.001
imProcessCreate
credential-theftexploitlateral-movement
This rule was pulled from an open-source repository and enriched with AI. Validate in a test environment before deploying to production.
View original rule at SigmaHQ →
Retrieved: 2026-05-09T23:00:01Z · Confidence: medium

Hunt Hypothesis

Detects the use of Windows Credential Editor (WCE), a popular post-exploitation tool used to extract plaintext passwords, hash, PIN code and Kerberos tickets from memory. It is often used by threat ac

Detection Rule

Sigma (Original)

title: HackTool - Windows Credential Editor (WCE) Execution
id: 7aa7009a-28b9-4344-8c1f-159489a390df
status: test
description: |
    Detects the use of Windows Credential Editor (WCE), a popular post-exploitation tool used to extract plaintext passwords, hash, PIN code and Kerberos tickets from memory.
    It is often used by threat actors for credential dumping and lateral movement within compromised networks.
references:
    - https://www.ampliasecurity.com/research/windows-credentials-editor/
author: Florian Roth (Nextron Systems)
date: 2019-12-31
modified: 2025-10-21
tags:
    - attack.credential-access
    - attack.t1003.001
    - attack.s0005
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        Image|endswith:
            - '\WCE.exe'
            - '\WCE64.exe'
    selection_hash:
        Hashes|contains:
            - 'IMPHASH=136F0A8572C058A96436C82E541E4C41'
            - 'IMPHASH=589657C64DDE88533186C39F82FA1F50'
            - 'IMPHASH=6BFE09EFCB4FFDE061EBDBAFC4DB84CF'
            - 'IMPHASH=7D490037BF450877E6D0287BDCFF8D2E'
            - 'IMPHASH=8AB93B061287C79F3088C5BC7E7D97ED'
            - 'IMPHASH=A53A02B997935FD8EEDCB5F7ABAB9B9F'
            - 'IMPHASH=BA434A7A729EEC20E136CA4C32D6C740'
            - 'IMPHASH=BD1D1547DA13C0FCB6C15E86217D5EB8'
            - 'IMPHASH=E96A73C7BF33A464C510EDE582318BF2'
    condition: 1 of selection_*
falsepositives:
    - Unknown
level: critical

KQL (Azure Sentinel)

imProcessCreate
| where (TargetProcessName endswith "\\WCE.exe" or TargetProcessName endswith "\\WCE64.exe") or (TargetProcessIMPHASH startswith "136F0A8572C058A96436C82E541E4C41" or TargetProcessIMPHASH startswith "589657C64DDE88533186C39F82FA1F50" or TargetProcessIMPHASH startswith "6BFE09EFCB4FFDE061EBDBAFC4DB84CF" or TargetProcessIMPHASH startswith "7D490037BF450877E6D0287BDCFF8D2E" or TargetProcessIMPHASH startswith "8AB93B061287C79F3088C5BC7E7D97ED" or TargetProcessIMPHASH startswith "A53A02B997935FD8EEDCB5F7ABAB9B9F" or TargetProcessIMPHASH startswith "BA434A7A729EEC20E136CA4C32D6C740" or TargetProcessIMPHASH startswith "BD1D1547DA13C0FCB6C15E86217D5EB8" or TargetProcessIMPHASH startswith "E96A73C7BF33A464C510EDE582318BF2")

Required Data Sources

Sentinel TableNotes
imProcessCreateEnsure this data connector is enabled

False Positive Guidance

MITRE ATT&CK Context

References

Original source: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_hktl_wce.yml