Registry Query for WDigest

 1title: Registry Query for WDigest
 2id: cf23c788-c4de-4607-9205-68b2b11f5029 
 3status: experimental
 4description: Rule to detect discovery activity for WDigest registry settings
 5author: The DFIR Report
 6references:
 7    - https://thedfirreport.com/2022/06/06/will-the-real-msiexec-please-stand-up-exploit-leads-to-data-exfiltration/
 8date: 2022-06-05
 9modified: 2024-02-23
10tags:
11    - attack.discovery
12    - attack.t1012
13logsource:
14    category: process_creation
15    product: windows
16detection:
17    selection:
18        Image|endswith: '\reg.exe'
19        CommandLine|contains|all:  
20            - 'query'
21            - 'WDigest'
22            - 'UseLogonCredential'
23    condition: selection
24falsepositives:
25    - Admin activity
26    - Auditing software
27level: medium

References

• Will the Real Msiexec Please Stand Up? Exploit Leads to Data Exfiltration

  

  In this multi-day intrusion, we observed a threat actor gain initial access to an organization by exploiting a vulnerability in ManageEngine SupportCenter Plus. The threat actor, discovered files o…

  
  Read More

Related rules

• AdFind Discovery
• Invoke-ShareFinder Discovery Activity
• Invoke-ShareFinder Discovery Activity
• List remote processes using tasklist
• Viewing remote directories