Skip to content
This repository was archived by the owner on Nov 16, 2023. It is now read-only.

added wdigest-caching #207

Merged
merged 2 commits into from
Nov 11, 2020
Merged

added wdigest-caching #207

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
6b744b9
added wdigest-caching
martyav Aug 20, 2020
b680520
typo fix
martyav Aug 20, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
51 changes: 51 additions & 0 deletions Credential Access/wdigest-caching.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,51 @@
# Credential harvesting through WDigest cache

This query was originally published in the threat analytics report, *WDigest credential harvesting*.

[WDigest](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2003/cc778868(v=ws.10)?redirectedfrom=MSDN) is a legacy authentication protocol dating from Windows XP. While still used on some corporate networks, this protocol can be manipulated by attackers to dump system credentials.

The Microsoft Security Response Center published an [overview](https://msrc-blog.microsoft.com/2014/06/05/an-overview-of-kb2871997/) of [KB2871997](https://www.catalog.update.microsoft.com/Search.aspx?q=KB2871997), which addresses WDigest use on older platforms. More recent versions of Windows can be protected with a holistic security approach that follows the [principle of least privilege](https://docs.microsoft.com/windows-server/identity/ad-ds/plan/security-best-practices/implementing-least-privilege-administrative-models).

The following query returns any attempts to turn WDigest credential caching on through the registry.

## Query

```Kusto
​union DeviceRegistryEvents, DeviceProcessEvents
// Find attempts to turn on WDigest credential caching
| where RegistryKey contains "wdigest" and RegistryValueName == "UseLogonCredential" and
RegistryValueData == "1" or
// Find processes created with commandlines that attempt to turn on WDigest caching
ProcessCommandLine has "WDigest" and ProcessCommandLine has "UseLogonCredential" and
ProcessCommandLine has "dword" and ProcessCommandLine has "1"
| project Timestamp, DeviceName, PreviousRegistryValueData,
RegistryKey, RegistryValueName, RegistryValueData, FileName, ProcessCommandLine,
InitiatingProcessAccountName, InitiatingProcessFileName,
InitiatingProcessCommandLine, InitiatingProcessParentFileName
```

## Category

This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states.

| Technique, tactic, or state | Covered? (v=yes) | Notes |
|-|-|-|
| Initial access | | |
| Execution | | |
| Persistence | | |
| Privilege escalation | | |
| Defense evasion | | |
| Credential Access | v | |
| Discovery | | |
| Lateral movement | | |
| Collection | | |
| Command and control | | |
| Exfiltration | | |
| Impact | | |
| Vulnerability | v | |
| Misconfiguration | | |
| Malware, component | | |

## Contributor info

**Contributor:** Microsoft Threat Protection team