Identifies attempts to modify the WDigest security provider in the registry to force the user’s password to be stored in clear text in memory. This behavior can be indicative of an adversary attempting to weaken the security configuration of an endpoint. Once the UseLogonCredential value is modified, the adversary may attempt to dump clear text passwords from memory.
Rule type: eql
Risk score: 73
Runs every: 5 minutes
Maximum alerts per execution: 100
- Threat Detection
- Credential Access
Added (Elastic Stack release): 7.12.0
Rule authors: Elastic
Rule license: Elastic License v2
registry where event.type in ("creation", "change") and registry.pat h:"HKLM\\SYSTEM\\*ControlSet*\\Control\\SecurityProviders\\WDigest\\Us eLogonCredential" and registry.data.strings:"1"