SigmaHQ/rules/windows/builtin/win_mal_wceaux_dll.yml
2018-01-27 10:57:30 +01:00

21 lines
535 B
YAML

title: WCE wceaux.dll Access
status: experimental
description: Detects wceaux.dll access while WCE pass-the-hash remote command execution on source host
author: Thomas Patzke
reference: https://www.jpcert.or.jp/english/pub/sr/ir_research.html
logsource:
product: windows
service: security
detection:
selection:
EventID:
- 4656
- 4658
- 4660
- 4663
ObjectName: '*\wceaux.dll'
condition: selection
falsepositives:
- Penetration testing
level: critical