Classification:

attack

Tactic:

TA0006-credential-access

Technique:

T1003-os-credential-dumping

VIEW RULE IN DATADOG VIEW SIGNALS

Goal

Detects access to wceaux.dll, a component of the Windows Credential Editor (WCE) tool used to extract plaintext passwords and hashes from memory.

Strategy

This rule monitors for file access operations targeting the wceaux.dll file. WCE is a well-known credential theft tool that extracts plaintext passwords, NTLM hashes, and Kerberos tickets directly from Windows memory.

The query looks for Windows event IDs 4656, 4658, 4660, or 4663 which represent various file access operations. These events are triggered when files are opened, closed, or accessed. The @Event.EventData.Data.ObjectName field is examined for paths containing wceaux.dll, which is a core component of the WCE tool.

The wceaux.dll file is exclusively associated with the WCE tool and has no legitimate use in standard enterprise environments. Its presence on a system strongly indicates an attempt to steal credentials. When WCE is executed, it injects wceaux.dll into the Local Security Authority Subsystem Service (LSASS) process to extract credential material from memory.

Triage & Response

• Immediately identify the location of wceaux.dll on {{host}} and the user account that accessed it.
• Determine the process that accessed wceaux.dll and its parent process.
• Check for successful execution of WCE by reviewing additional security events around the same time.
• Look for evidence of credential dumping via unexpected LSASS access or memory operations.
• Verify if the account accessing wceaux.dll has administrative privileges.
• Examine logon sessions and network connections for signs of lateral movement.
• Check for additional hacking tools or suspicious executables in the same directory.
• Reset all account credentials that were potentially accessed on the compromised system.