Wdigest Enable UseLogonCredential

calendar Aug 12, 2024 · attack.defense-evasion attack.t1112  ·
Share on: linkedin copy

Detects potential malicious modification of the property value of UseLogonCredential from HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest to enable clear-text credentials

Sigma rule (View on GitHub)

 1title: Wdigest Enable UseLogonCredential
 2id: d6a9b252-c666-4de6-8806-5561bbbd3bdc
 3status: test
 4description: Detects potential malicious modification of the property value of UseLogonCredential from HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest to enable clear-text credentials
 5references:
 6    - https://threathunterplaybook.com/hunts/windows/190510-RegModWDigestDowngrade/notebook.html
 7    - https://support.microsoft.com/en-us/topic/microsoft-security-advisory-update-to-improve-credentials-protection-and-management-may-13-2014-93434251-04ac-b7f3-52aa-9f951c14b649
 8    - https://github.com/redcanaryco/atomic-red-team/blob/73fcfa1d4863f6a4e17f90e54401de6e30a312bb/atomics/T1112/T1112.md#atomic-test-3---modify-registry-to-store-logon-credentials
 9author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
10date: 2019-09-12
11modified: 2023-08-17
12tags:
13    - attack.defense-evasion
14    - attack.t1112
15logsource:
16    category: registry_set
17    product: windows
18detection:
19    selection:
20        TargetObject|endswith: 'WDigest\UseLogonCredential'
21        Details: DWORD (0x00000001)
22    condition: selection
23falsepositives:
24    - Unknown
25level: high

References

Related rules

to-top