Adversaries may be using WCE pass-the-hash techniques to execute remote commands by accessing the wceaux.dll file, indicating potential lateral movement and command execution. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced persistent threat activity that could compromise host integrity and network security.
Detection Rule
title: WCE wceaux.dll Access
id: 1de68c67-af5c-4097-9c85-fe5578e09e67
status: test
description: Detects wceaux.dll access while WCE pass-the-hash remote command execution on source host
references:
- https://www.jpcert.or.jp/english/pub/sr/ir_research.html
- https://jpcertcc.github.io/ToolAnalysisResultSheet
author: Thomas Patzke
date: 2017-06-14
modified: 2025-01-30
tags:
- attack.credential-access
- attack.t1003
- attack.s0005
logsource:
product: windows
service: security
detection:
selection:
EventID:
- 4656
- 4663
ObjectName|endswith: '\wceaux.dll'
condition: selection
falsepositives:
- Unknown
level: critical
imRegistry
| where RegistryKey endswith "\\wceaux.dll"Scenario: Legitimate WCEaux.dll Access via Scheduled Job
Description: A scheduled job runs a legitimate script that uses wceaux.dll for legitimate administrative tasks, such as system monitoring or log analysis.
Filter/Exclusion: Exclude processes initiated by scheduled tasks with known legitimate scripts or tools (e.g., schtasks.exe or Task Scheduler jobs).
Scenario: WCEaux.dll Used by a Security Tool for Analysis
Description: A security tool or sandbox environment (e.g., Cuckoo Sandbox, FireEye) uses wceaux.dll as part of its analysis to simulate or detect malicious behavior.
Filter/Exclusion: Exclude processes running under sandboxed environments or with known security tool signatures (e.g., cuckoo, fireeye, vmtoolsd).
Scenario: Administrative Task Involving WCEaux.dll
Description: An admin uses a legitimate tool like PsExec or PSTools to remotely execute a script that requires wceaux.dll for legitimate remote management tasks.
Filter/Exclusion: Exclude processes initiated by trusted administrative tools (e.g., psexec.exe, PsExec, or PsTools) with known admin credentials.
Scenario: WCEaux.dll Access During System Update or Patching
Description: A system update or patching process (e.g., Windows Update, SCCM) temporarily accesses wceaux.dll as part of its installation or configuration.
Filter/Exclusion: Exclude processes associated with system update tools (e.g., wusa.exe, setup.exe, or ccmexec.exe).
Scenario: Legitimate Remote Execution for Compliance Auditing
Description: A compliance or auditing tool (e.g., Microsoft Intune, Azure Security