Registry Query for WDigest

Rule to detect discovery activity for WDigest registry settings

Sigma rule (View on GitHub)

 1title: Registry Query for WDigest
 2id: cf23c788-c4de-4607-9205-68b2b11f5029 
 3status: experimental
 4description: Rule to detect discovery activity for WDigest registry settings
 5author: The DFIR Report
 6references:
 7    - https://thedfirreport.com/2022/06/06/will-the-real-msiexec-please-stand-up-exploit-leads-to-data-exfiltration/
 8date: 2022-06-05
 9modified: 2024-02-23
10tags:
11    - attack.discovery
12    - attack.t1012
13logsource:
14    category: process_creation
15    product: windows
16detection:
17    selection:
18        Image|endswith: '\reg.exe'
19        CommandLine|contains|all:  
20            - 'query'
21            - 'WDigest'
22            - 'UseLogonCredential'
23    condition: selection
24falsepositives:
25    - Admin activity
26    - Auditing software
27level: medium

References

Related rules

to-top