Merge PR #5712 from @swachchhanda000 - fix: rules for blackByte ransomware and wce detection

update: Blackbyte Ransomware Registry - move to rules-emerging-threats folder
fix: HackTool - Windows Credential Editor (WCE) Execution - remove fp selection while increasing coverage

---------
Co-authored-by: Nasreddine Bencherchali <nasbench@users.noreply.github.com>

rules-emerging-threats/2021/Malware/BlackByte/registry_set_win_malware_blackbyte_privesc_registry.yml

@@ -0,0 +1,31 @@
+title: Blackbyte Ransomware Registry
+id: 83314318-052a-4c90-a1ad-660ece38d276
+status: test
+description: |
+    Detects specific windows registry modifications made by BlackByte ransomware variants.
+    BlackByte set three different registry values to escalate privileges and begin setting the stage for lateral movement and encryption.
+    This rule triggers when any of the following registry keys are set to DWORD 1, however all three should be investigated as part of a larger BlackByte ransomware detection and response effort.
+references:
+    - https://redcanary.com/blog/blackbyte-ransomware/?utm_source=twitter&utm_medium=social
+    - https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/blackbyte-ransomware-pt-1-in-depth-analysis/
+author: frack113
+date: 2022-01-24
+modified: 2025-10-21
+tags:
+    - attack.defense-evasion
+    - attack.t1112
+    - detection.emerging-threats
+logsource:
+    category: registry_set
+    product: windows
+detection:
+    selection:
+        TargetObject:
+            - 'HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy'
+            - 'HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections'
+            - 'HKLM\SYSTEM\CurrentControlSet\Control\FileSystem\LongPathsEnabled'
+        Details: 'DWORD (0x00000001)'
+    condition: selection
+falsepositives:
+    - Unknown
+level: high

rules/windows/process_creation/proc_creation_win_hktl_wce.yml

@@ -1,12 +1,14 @@
 title: HackTool - Windows Credential Editor (WCE) Execution
 id: 7aa7009a-28b9-4344-8c1f-159489a390df
 status: test
-description: Detects the use of Windows Credential Editor (WCE)
+description: |
+    Detects the use of Windows Credential Editor (WCE), a popular post-exploitation tool used to extract plaintext passwords, hash, PIN code and Kerberos tickets from memory.
+    It is often used by threat actors for credential dumping and lateral movement within compromised networks.
 references:
     - https://www.ampliasecurity.com/research/windows-credentials-editor/
 author: Florian Roth (Nextron Systems)
 date: 2019-12-31
-modified: 2024-11-23
+modified: 2025-10-21
 tags:
     - attack.credential-access
     - attack.t1003.001
@@ -15,16 +17,22 @@ logsource:
     category: process_creation
     product: windows
 detection:
-    selection_1:
-        Hashes|contains:  # Sysmon field hashes contains all types
-            - IMPHASH=a53a02b997935fd8eedcb5f7abab9b9f
-            - IMPHASH=e96a73c7bf33a464c510ede582318bf2
-    selection_2:
-        CommandLine|endswith: '.exe -S'
-        ParentImage|endswith: '\services.exe'
-    filter:
-        Image|endswith: '\clussvc.exe'
-    condition: 1 of selection_* and not filter
+    selection_img:
+        Image|endswith:
+            - '\WCE.exe'
+            - '\WCE64.exe'
+    selection_hash:
+        Hashes|contains:
+            - 'IMPHASH=136F0A8572C058A96436C82E541E4C41'
+            - 'IMPHASH=589657C64DDE88533186C39F82FA1F50'
+            - 'IMPHASH=6BFE09EFCB4FFDE061EBDBAFC4DB84CF'
+            - 'IMPHASH=7D490037BF450877E6D0287BDCFF8D2E'
+            - 'IMPHASH=8AB93B061287C79F3088C5BC7E7D97ED'
+            - 'IMPHASH=A53A02B997935FD8EEDCB5F7ABAB9B9F'
+            - 'IMPHASH=BA434A7A729EEC20E136CA4C32D6C740'
+            - 'IMPHASH=BD1D1547DA13C0FCB6C15E86217D5EB8'
+            - 'IMPHASH=E96A73C7BF33A464C510EDE582318BF2'
+    condition: 1 of selection_*
 falsepositives:
-    - Another service that uses a single -s command line switch
+    - Unknown
 level: critical

rules/windows/registry/registry_set/registry_set_blackbyte_ransomware.yml

@@ -1,27 +0,0 @@
-title: Blackbyte Ransomware Registry
-id: 83314318-052a-4c90-a1ad-660ece38d276
-status: test
-description: BlackByte set three different registry values to escalate privileges and begin setting the stage for lateral movement and encryption
-references:
-    - https://redcanary.com/blog/blackbyte-ransomware/?utm_source=twitter&utm_medium=social
-    - https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/blackbyte-ransomware-pt-1-in-depth-analysis/
-author: frack113
-date: 2022-01-24
-modified: 2023-08-17
-tags:
-    - attack.defense-evasion
-    - attack.t1112
-logsource:
-    category: registry_set
-    product: windows
-detection:
-    selection:
-        TargetObject:
-            - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy
-            - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections
-            - HKLM\SYSTEM\CurrentControlSet\Control\FileSystem\LongPathsEnabled
-        Details: DWORD (0x00000001)
-    condition: selection
-falsepositives:
-    - Unknown
-level: high