--- title: Windows WCE wceaux.dll access description: Datadog, the leading service for cloud-scale monitoring. breadcrumbs: Docs > Datadog Security > OOTB Rules > Windows WCE wceaux.dll access --- # Windows WCE wceaux.dll access {% alert level="danger" %} This rule is part of a beta feature. To learn more, [contact Support](https://docs.datadoghq.com/help/). {% /alert %} Classification:attackTactic:[TA0006-credential-access](https://attack.mitre.org/tactics/TA0006)Technique:[T1003-os-credential-dumping](https://attack.mitre.org/techniques/T1003) ## Goal{% #goal %} Detects access to `wceaux.dll`, a component of the Windows Credential Editor (WCE) tool used to extract plaintext passwords and hashes from memory. ## Strategy{% #strategy %} This rule monitors for file access operations targeting the `wceaux.dll` file. WCE is a well-known credential theft tool that extracts plaintext passwords, NTLM hashes, and Kerberos tickets directly from Windows memory. The query looks for Windows event IDs `4656`, `4658`, `4660`, or `4663` which represent various file access operations. These events are triggered when files are opened, closed, or accessed. The `@Event.EventData.Data.ObjectName` field is examined for paths containing `wceaux.dll`, which is a core component of the WCE tool. The `wceaux.dll` file is exclusively associated with the WCE tool and has no legitimate use in standard enterprise environments. Its presence on a system strongly indicates an attempt to steal credentials. When WCE is executed, it injects `wceaux.dll` into the Local Security Authority Subsystem Service (LSASS) process to extract credential material from memory. ## Triage & Response{% #triage--response %} - Immediately identify the location of `wceaux.dll` on `{{host}}` and the user account that accessed it. - Determine the process that accessed `wceaux.dll` and its parent process. - Check for successful execution of WCE by reviewing additional security events around the same time. - Look for evidence of credential dumping via unexpected LSASS access or memory operations. - Verify if the account accessing `wceaux.dll` has administrative privileges. - Examine logon sessions and network connections for signs of lateral movement. - Check for additional hacking tools or suspicious executables in the same directory. - Reset all account credentials that were potentially accessed on the compromised system.