Windows Credential Editor
Windows Credential Editor (WCE, also referred to as windows_credential_editor) is a credential-dumping utility for Windows. The provided content consistently describes it as extracting credentials from system memory—particularly LSASS memory—and from local storage such as the SAM database. It is explicitly associated with OS credential dumping from LSASS memory and is also described in some contexts as supporting remote login operations via pass-the-hash and pass-the-ticket to execute commands with higher privileges using acquired password hashes.
The content links WCE to multiple intrusion sets and campaigns as a dual-use or publicly available tool used during post-compromise activity. Reported users include APT39, APT40, APT41, FIN6, FIN8, BRONZE BUTLER, Cleaver, and Daserf. In the APT39 reporting, WCE was used alongside Mimikatz and ProcDump during intrusions targeting telecommunications and travel organizations, with broader reporting assessing APT39 as aligned with Iranian national interests and focused on surveillance, tracking, and collection of personal and customer data. APT40 reporting states the group used WCE along with ProcDump and custom tooling while targeting engineering, transportation, and defense organizations, especially maritime-related entities, in support of China-linked espionage objectives. APT41 is also specifically noted as obtaining and using Windows Credential Editor.
Behaviorally, the content states WCE can dump credentials and may access or inject into lsass.exe. Detection-oriented material in the content notes that WCE activity may be observable through Sysmon Event ID 8 when creating remote threads in lsass.exe, Sysmon Event ID 7 when unsigned modules are loaded into lsass.exe, and service-related events when used for remote login behavior, including installation of a service named WCESERVICE (for example, System Event ID 7045 and 7036). The content does not provide stable malware-specific network indicators or hashes, but the named artifact WCESERVICE is a concrete indicator mentioned directly in the source material.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
11 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
APT41 has obtained and used tools such as Mimikatz, pwdump, PowerSploit, and Windows Credential Editor.
APT41 has obtained and used tools such as Mimikatz, pwdump, PowerSploit, and Windows Credential Editor.
APT41 has obtained and used tools such as Mimikatz, pwdump, PowerSploit, and Windows Credential Editor.
APT41 has obtained and used tools such as Mimikatz, pwdump, PowerSploit, and Windows Credential Editor.
APT41 has obtained and used tools such as Mimikatz, pwdump, PowerSploit, and Windows Credential Editor.
Tools: Mimikatz, Invoke-Mimikatz, Windows Credential Editor (WCE), fgdump, pwdump6, pwdumpX
APT39 has used Mimikatz, Windows Credential Editor and ProcDump to dump credentials... Windows Credential Editor can dump credentials.
APT39 has used Mimikatz, Windows Credential Editor and ProcDump to dump credentials... Windows Credential Editor can dump credentials.
APT39 has used Mimikatz, Windows Credential Editor and ProcDump to dump credentials... Windows Credential Editor can dump credentials.
APT39 has used Mimikatz, Windows Credential Editor and ProcDump to dump credentials... Windows Credential Editor can dump credentials.
Additionally, the Windows Sysinternals ProcDump utility and Windows Credential Editor (WCE) are believed to be used during intrusions as well.
Techniques & procedures
10 distinct techniques documented for this family, organized by ATT&CK tactic.
Resource Development
1 techniqueThe content repeatedly states that threat actors 'obtained,' 'acquired,' or 'used' publicly available, open-source, legitimate, or modified tools such as Mimikatz, Cobalt Strike, PsExec, Empire, Impacket, and many others.
Execution
1 techniqueInstallation of Mimikatz driver. Lets hunt it! event_id:7045 AND (event_data.ServiceName:*mimidrv* OR event_data.ImagePath:*mimidrv*)
Persistence
1 techniquePrivilege Escalation
3 techniquesAPT3 has used a tool to dump credentials by injecting itself into lsass.exe
CreateRemoteThread into LSASS. Sysmon events Mimikatz (lsadump::lsa /inject) lsadump PWDump6 Windows Credential Editor (WCE)
Stealth
2 techniquesCredential Access
2 techniquesMultiple groups are described as using credential theft tools including Mimikatz, pwdump, gsecdump, Windows Credential Editor, LaZagne, KeeThief, ChromePass, and Nirsoft WebBrowserPassView.
LSASS memory contain a lot of sensitive data that can be dumped!... There several ways: • online from ring3 – OpenProcess…; • online from ring0 – use driver for accessing LSASS memory; • offline from LSASS memory dumps; • offline from other sources, that contain LSASS memory.
Lateral Movement
3 techniquesWCE (Remote Login) ... Remotely executes a command on another machine ... Windows Management Instrumentation ... WMIC.exe ... WmiPrvSE.exe ... random 5-digit port (WMIC)
WCE (Remote Login) pass-the-hash, pass-the-ticket ... Mimikatz (Remote Login) pass-the-hash, pass-the-ticket ... Executes a command with another user's privileges using a hash of the acquired password
Table of contents includes "Pass-the-hash, Pass-the-ticket" and tools like WCE and Mimikatz for remote login; PWDumpX notes it "uses the acquired hash to perform attacks such as pass-the-hash."
Recent activity
12 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Credential dumping tool used to retrieve credentials from Windows systems, including LSASS-related extraction techniques; leaves service, file, and named pipe artifacts.
Credential dumping tool used to extract credentials from Windows memory and local stores (e.g., SAM), including cached credentials.
Credential theft utility included in the attacker toolkit to capture credentials in enterprise environments, supporting privilege escalation and ransomware deployment.
Credential theft utility used to extract credentials from Windows systems during intrusions.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.