Enable WDigest using PowerShell
Rule to detect registry modifications to enable WDigest using powershell over the commandline.
Sigma rule (View on GitHub)
1title: Enable WDigest using PowerShell
2id: bda01c73-45bc-4997-8c63-f993ec08e87e
3status: experimental
4description: Rule to detect registry modifications to enable WDigest using powershell over the commandline.
5author: The DFIR Report
6references:
7 - https://thedfirreport.com/2022/06/06/will-the-real-msiexec-please-stand-up-exploit-leads-to-data-exfiltration/
8date: 2022/06/06
9tags:
10 - attack.defense_evasion
11 - attack.t1112
12logsource:
13 category: process_creation
14 product: windows
15detection:
16 selection:
17 Image|endswith: '\powershell.exe'
18 CommandLine|contains|all:
19 - 'Set-ItemProperty'
20 - 'WDigest'
21 - 'UseLogonCredential'
22 - 'Value'
23 - '1'
24 condition: selection
25falsepositives:
26 - Admin activity
27level: medium
References
-
In this multi-day intrusion, we observed a threat actor gain initial access to an organization by exploiting a vulnerability in ManageEngine SupportCenter Plus. The threat actor, discovered files o…
Read More
Related rules
- Enabling RDP service via reg.exe command execution
- Enable WDigest using PowerShell (ps_module)
- Enabling restricted admin mode
- Conhost Suspicious Command Execution
- Malicious QakBot Dropped File Creation (Event 4663)