Detection rules › Kusto Query Language

WDigest downgrade attack

Source: upstream

'When the WDigest Authentication protocol is enabled, plain text passwords are stored in the Local Security Authority Subsystem Service (LSASS) exposing them to theft. This setting will prevent WDigest from storing credentials in memory. Ref: https://www.stigviewer.com/stig/windows_7/2016-12-19/finding/V-72753'

MITRE ATT&CK coverage

Tactic	Techniques
Credential Access	`T1003` OS Credential Dumping

Event coverage

Provider	Event ID	Title
Sysmon	13	RegistryEvent (Value Set)

Stages and Predicates

Stage 1: `source`

Event

Stage 2: `where`

and
  EventID eq "13"
  EventLog eq "Microsoft-Windows-Sysmon/Operational"

Stage 3: `parse`

Stage 4: `where`

and
  Details ne "DWORD (0x00000000)"
  TargetObject eq "HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\SecurityProviders\\\\WDigest\\\\UseLogonCredential"

Stage 5: `summarize`

Stage 6: `extend`

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`Details`	ne	`DWORD (0x00000000)`
`EventID`	in	`13`
`EventLog`	eq	`Microsoft-Windows-Sysmon/Operational`
`TargetObject`	eq	`HKLM\\System\\CurrentControlSet\\Control\\SecurityProviders\\WDigest\\UseLogonCredential`

WDigest downgrade attack

MITRE ATT&CK coverage

Event coverage

Stages and Predicates

Stage 1: source

Stage 2: where

Stage 3: parse

Stage 4: where

Stage 5: summarize