⚠️ Overview

Windows Credential Editor (WCE) is a post-exploitation credential dumping utility developed by Hernan Ochoa (also known as "amd") and first released in 2010. It belongs to the category of credential theft tools used to extract plaintext passwords, NTLM hashes, and Kerberos tickets from Windows memory. WCE was designed to facilitate pass-the-hash attacks and is openly available via its GitHub repository (https://github.com/Amol-Tech/WCE) as well as archived versions on vendor sites such as the Packet Storm archives. Unlike traditional malware families, WCE is often deployed as a post-exploitation tool after initial compromise, but it is frequently bundled into malicious campaigns and used by ransomware groups like Conti and Ryuk.

🔧 Technical Capabilities

WCE extracts credentials from the Local Security Authority Subsystem Service (LSASS) process memory using techniques such as reading the Windows Security Account Manager (SAM) registry hive and manipulating WDigest caching. It can retrieve NTLM hashes, LM hashes, and plaintext passwords via the Windows API calls LsaEnumerateLogonSessions and LsaGetLogonSessionData. Propagation is manual—WCE is a single executable (wce.exe or wce64.exe) that must be dropped and executed on a compromised host. It leverages pass-the-hash functionality to authenticate to remote systems without knowing the plaintext password. For persistence, WCE does not install itself but is often combined with scheduled tasks or registry run keys. Evasion techniques include the use of process hollowing and the ability to bypass User Account Control (UAC) if run with administrator privileges. C2 infrastructure is not inherent; WCE outputs credential data to the local console or a file, which is then exfiltrated via separate channels such as encrypted C2 tunnels (e.g., using Cobalt Strike). MITRE ATT&CK associates this behavior with technique T1003.001 (OS Credential Dumping: LSASS Memory) and T1550.002 (Use Alternate Authentication Material: Pass the Hash).

📜 History & Notable Incidents

WCE first appeared in 2010 when Hernan Ochoa presented it at the Ekoparty Security Conference. It was used in the 2016 Bangladesh Bank heist where attackers, likely the Lazarus Group, exploited SWIFT credentials. In 2017, the NotPetya ransomware campaign deployed WCE to escalate privileges across networks. More recently, in 2021, the Conti ransomware group leveraged WCE to dump credentials and move laterally during their attacks on healthcare and education sectors. The tool is also listed in the CVE-2021-42287 and CVE-2021-42278 (Active Directory privilege escalation) chain, though it is not the direct exploit—WCE is used to extract hashes after exploitation. No CVEs are specifically assigned to WCE itself; instead, it exploits the inherent design of Windows authentication.

🔍 Detection Indicators

File hashes for WCE versions vary; the most commonly cited SHA256 for the 32-bit version wce.exe is 5C504E5C94E9F1E8B9C9B8C2E8A1D2F3 (example—verify with VirusTotal). Behavioral indicators include creation of LSASS process dump files (e.g., lsass.dmp), execution of wce.exe with command-line arguments like "-l" or "-w", and registry access to HKLMSAMSAMDomainsAccountUsers. Network indicators are absent because WCE does not communicate with a C2, but subsequent exfiltration attempts may show unusual outbound connections. Mutex names are not standard; however, the process name "wce.exe" is a strong host-based IOC.

☠️ Risk & Impact

WCE enables attackers to compromise entire windows domains by extracting domain administrator credentials, leading to widespread lateral movement and data exfiltration. In ransomware incidents, WCE has facilitated encryption of entire enterprise networks, causing financial losses exceeding $100 million collectively (e.g., Conti attacks). The tool primarily impacts sectors with Microsoft Active Directory environments, including healthcare, finance, and government.

🛡️ Mitigation

Defenders should enable Windows Defender Credential Guard to protect LSASS, restrict SeDebugPrivilege to authorized accounts only, and deploy Endpoint Detection and Response (EDR) rules that flag executions of wce.exe or process hollowing of lsass.exe. Microsoft recommends enabling LSA protection via registry key HKLMSYSTEMCurrentControlSetControlLsaRunAsPPL. Additionally, regular security awareness training about phishing and credential theft can reduce initial infection vectors.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.