Modification of WDigest Security Provider

The WDigest security provider is a legacy authentication protocol that, when enabled, stores user passwords in cleartext within LSASS memory. Modern Windows versions (8.1+ and Server 2012 R2+) disable this behavior by default. Attackers can modify the UseLogonCredential registry value under the WDigest configuration to re-enable plaintext credential caching. This manipulation is a common precursor to credential dumping attacks, where tools like Mimikatz are used to extract sensitive information from LSASS. Defenders should monitor for unauthorized modifications to the WDigest configuration to prevent credential theft. The rule provided by Elastic aims to detect these modifications.

Attack Chain

1. An attacker gains initial access to a Windows system via compromised credentials or exploiting a vulnerability (e.g., phishing or RDP).
2. The attacker executes code (e.g., PowerShell script or executable) with sufficient privileges to modify the registry.
3. The malicious code modifies the UseLogonCredential registry value under HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest or a similar path.
4. The attacker sets the UseLogonCredential value to 1 (or 0x00000001), enabling plaintext storage of credentials.
5. A user logs on to the system, causing their credentials to be stored in cleartext in LSASS memory.
6. The attacker uses credential dumping tools like Mimikatz to extract the cleartext passwords from LSASS.
7. The attacker uses the stolen credentials for lateral movement or to access sensitive data.

Impact

Successful modification of the WDigest security provider can lead to widespread credential compromise. Attackers can harvest credentials for privileged accounts, enabling them to move laterally within the network, access sensitive resources, and potentially achieve domain dominance. This can result in data breaches, financial loss, and reputational damage.

Recommendation

• Deploy the Sigma rule “Modification of WDigest Security Provider” to your SIEM to detect malicious registry modifications (rule d703a5af-d5b0-43bd-8ddb-7a5d500b7da5).
• Enable Sysmon registry event logging to capture the necessary data for the provided Sigma rule to function.
• Monitor process creation events for unexpected processes modifying registry keys related to WDigest.
• Review and restrict access control lists (ACLs) on the WDigest registry keys to prevent unauthorized modifications.
• Investigate any alerts generated by the Sigma rule, focusing on the process that made the modification, the user context, and any subsequent activity.