IMPORTANT: No additional bug fixes or documentation updates will be released for this version. For the latest information, see the current release documentation.
Elastic Docs Elastic Security Solution [8.1] Detections and alerts Prebuilt rule reference
« Modification of Standard Authentication Module or Configuration Modification or Removal of an Okta Application Sign-On Policy »

Modification of WDigest Security Provideredit

Identifies attempts to modify the WDigest security provider in the registry to force the user’s password to be stored in clear text in memory. This behavior can be indicative of an adversary attempting to weaken the security configuration of an endpoint. Once the UseLogonCredential value is modified, the adversary may attempt to dump clear text passwords from memory.

Rule type: eql

Rule indices:

  • winlogbeat-*
  • logs-endpoint.events.*
  • logs-windows.*

Severity: high

Risk score: 73

Runs every: 5 minutes

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

  • Elastic
  • Host
  • Windows
  • Threat Detection
  • Credential Access

Version: 2 (version history)

Added (Elastic Stack release): 7.12.0

Last modified (Elastic Stack release): 8.1.0

Rule authors: Elastic

Rule license: Elastic License v2

Rule queryedit

registry where event.type : ("creation", "change") and
registry.path : "HKLM\\SYSTEM\\*ControlSet*\\Control\\Securit
yProviders\\WDigest\\UseLogonCredential" and registry.data.strings
: ("1", "0x00000001")

Threat mappingedit

Framework: MITRE ATT&CKTM

Rule version historyedit

Version 2 (8.1.0 release)

  • Updated query, changed from:

    registry where event.type in ("creation", "change") and registry.pat
h:"HKLM\\SYSTEM\\*ControlSet*\\Control\\SecurityProviders\\WDigest\\Us
eLogonCredential" and registry.data.strings:"1"
« Modification of Standard Authentication Module or Configuration Modification or Removal of an Okta Application Sign-On Policy »