Modification of WDigest Security Provider | Elastic Security Solution [8.0]

IMPORTANT: No additional bug fixes or documentation updates will be released for this version. For the latest information, see the current release documentation.

› › ›

« Modification of Standard Authentication Module or Configuration Modification or Removal of an Okta Application Sign-On Policy »

Modification of WDigest Security Provideredit

Identifies attempts to modify the WDigest security provider in the registry to force the user’s password to be stored in clear text in memory. This behavior can be indicative of an adversary attempting to weaken the security configuration of an endpoint. Once the UseLogonCredential value is modified, the adversary may attempt to dump clear text passwords from memory.

Rule type: eql

Rule indices:

winlogbeat-*
logs-endpoint.events.*
logs-windows.*

Severity: high

Risk score: 73

Runs every: 5 minutes

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

Elastic
Host
Windows
Threat Detection
Credential Access

Version: 1

Added (Elastic Stack release): 7.12.0

Rule authors: Elastic

Rule license: Elastic License v2

Rule queryedit

registry where event.type in ("creation", "change") and registry.pat
h:"HKLM\\SYSTEM\\*ControlSet*\\Control\\SecurityProviders\\WDigest\\Us
eLogonCredential" and registry.data.strings:"1"

Threat mappingedit

Framework: MITRE ATT&CK^TM

Tactic:
- Name: Credential Access
- ID: TA0006
- Reference URL: https://attack.mitre.org/tactics/TA0006/
Technique:
- Name: OS Credential Dumping
- ID: T1003
- Reference URL: https://attack.mitre.org/techniques/T1003/

« Modification of Standard Authentication Module or Configuration Modification or Removal of an Okta Application Sign-On Policy »