|
| 1 | +# Credential harvesting through WDigest cache |
| 2 | + |
| 3 | +This query was originally published in the threat analytics report, *WDigest credential harvesting*. |
| 4 | + |
| 5 | +[WDigest](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2003/cc778868(v=ws.10)?redirectedfrom=MSDN) is a legacy authentication protocol dating from Windows XP. While still used on some corporate networks, this protocol can be manipulated by attackers to dump system credentials. |
| 6 | + |
| 7 | +The Microsoft Security Response Center published an [overview](https://msrc-blog.microsoft.com/2014/06/05/an-overview-of-kb2871997/) of [KB2871997](https://www.catalog.update.microsoft.com/Search.aspx?q=KB2871997), which addresses WDigest use on older platforms. More recent versions of Windows can be protected with a holistic security approach that follows the [principle of least privilege](https://docs.microsoft.com/windows-server/identity/ad-ds/plan/security-best-practices/implementing-least-privilege-administrative-models). |
| 8 | + |
| 9 | +The following query returns any attempts to turn WDigest credential caching on through the registry. |
| 10 | + |
| 11 | +## Query |
| 12 | + |
| 13 | +```Kusto |
| 14 | +union DeviceRegistryEvents, DeviceProcessEvents |
| 15 | +// Find attempts to turn on WDigest credential caching |
| 16 | +| where RegistryKey contains "wdigest" and RegistryValueName == "UseLogonCredential" and |
| 17 | +RegistryValueData == "1" or |
| 18 | +// Find processes created with commandlines that attempt to turn on WDigest caching |
| 19 | +ProcessCommandLine has "WDigest" and ProcessCommandLine has "UseLogonCredential" and |
| 20 | +ProcessCommandLine has "dword" and ProcessCommandLine has "1" |
| 21 | +| project Timestamp, DeviceName, PreviousRegistryValueData, |
| 22 | +RegistryKey, RegistryValueName, RegistryValueData, FileName, ProcessCommandLine, |
| 23 | +InitiatingProcessAccountName, InitiatingProcessFileName, |
| 24 | +InitiatingProcessCommandLine, InitiatingProcessParentFileName |
| 25 | +``` |
| 26 | + |
| 27 | +## Category |
| 28 | + |
| 29 | +This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states. |
| 30 | + |
| 31 | +| Technique, tactic, or state | Covered? (v=yes) | Notes | |
| 32 | +|-|-|-| |
| 33 | +| Initial access | | | |
| 34 | +| Execution | | | |
| 35 | +| Persistence | | | |
| 36 | +| Privilege escalation | | | |
| 37 | +| Defense evasion | | | |
| 38 | +| Credential Access | v | | |
| 39 | +| Discovery | | | |
| 40 | +| Lateral movement | | | |
| 41 | +| Collection | | | |
| 42 | +| Command and control | | | |
| 43 | +| Exfiltration | | | |
| 44 | +| Impact | | | |
| 45 | +| Vulnerability | v | | |
| 46 | +| Misconfiguration | | | |
| 47 | +| Malware, component | | | |
| 48 | + |
| 49 | +## Contributor info |
| 50 | + |
| 51 | +**Contributor:** Microsoft Threat Protection team |
0 commit comments