rules/windows/registry_event/sysmon_hack_wce_reg.yml

title: Windows Credential Editor Registry
id: a6b33c02-8305-488f-8585-03cb2a7763f2
description: Detects the use of Windows Credential Editor (WCE)
author: Florian Roth
references:
    - https://www.ampliasecurity.com/research/windows-credentials-editor/
date: 2019/12/31
modified: 2020/09/06
tags:
    - attack.credential_access
    - attack.t1003 # an old one
    - attack.t1003.001
    - attack.s0005
logsource:
    category: registry_event
    product: windows
detection:
    selection:       
        TargetObject|contains: Services\WCESERVICE\Start
    condition: selection
falsepositives:
    - 'Another service that uses a single -s command line switch'
level: critical
fix: duplicate IDs and rule titles 2020-07-01 16:37:27 +02:00			`title: Windows Credential Editor Registry`
			`id: a6b33c02-8305-488f-8585-03cb2a7763f2`
Added rules files split into folders 2020-06-10 16:32:30 +02:00			`description: Detects the use of Windows Credential Editor (WCE)`
			`author: Florian Roth`
			`references:`
			`- https://www.ampliasecurity.com/research/windows-credentials-editor/`
			`date: 2019/12/31`
att&ck tags review: windows/registry_event 2020-09-06 22:08:27 +03:00			`modified: 2020/09/06`
Added rules files split into folders 2020-06-10 16:32:30 +02:00			`tags:`
			`- attack.credential_access`
att&ck tags review: windows/registry_event 2020-09-06 22:08:27 +03:00			`- attack.t1003 # an old one`
			`- attack.t1003.001`
Added rules files split into folders 2020-06-10 16:32:30 +02:00			`- attack.s0005`
			`logsource:`
			`category: registry_event`
			`product: windows`
			`detection:`
			`selection:`
			`TargetObject\|contains: Services\WCESERVICE\Start`
			`condition: selection`
refactor: sysmon rule cleanup > generlization 2020-07-01 10:58:39 +02:00			`falsepositives:`
			`- 'Another service that uses a single -s command line switch'`
			`level: critical`