Skip to content

Hide Navigation Hide TOC

HackTool - Windows Credential Editor (WCE) Execution (7aa7009a-28b9-4344-8c1f-159489a390df)

Detects the use of Windows Credential Editor (WCE), a popular post-exploitation tool used to extract plaintext passwords, hash, PIN code and Kerberos tickets from memory. It is often used by threat actors for credential dumping and lateral movement within compromised networks.

Cluster A Galaxy A Cluster B Galaxy B Level
HackTool - Windows Credential Editor (WCE) Execution (7aa7009a-28b9-4344-8c1f-159489a390df) Sigma-Rules LSASS Memory - T1003.001 (65f2d882-3f41-4d48-8a06-29af77ec9f90) Attack Pattern 1
OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22) Attack Pattern LSASS Memory - T1003.001 (65f2d882-3f41-4d48-8a06-29af77ec9f90) Attack Pattern 2