Skip to content
Threat Feed
high advisory

WDigest Security Provider Registry Modification

Adversaries may modify the WDigest security provider registry key to force the storage of user passwords in cleartext, enabling credential dumping and unauthorized access.

The WDigest security provider, a legacy authentication protocol, can be manipulated to store user credentials in cleartext within system memory. Attackers modify the UseLogonCredential registry value to force WDigest to store passwords insecurely, even in newer Windows versions where this is not the default behavior. The targeted registry key is located at HKLM\SYSTEM\*ControlSet*\Control\SecurityProviders\WDigest\UseLogonCredential. This activity is often associated with credential dumping tools like Mimikatz and is a critical indicator of active post-compromise behavior, enabling attackers to steal credentials and escalate privileges. This technique can be used on any Windows version, though it is most effective on older systems.

Attack Chain

  1. Initial Access: An attacker gains initial access to a system through various means, such as exploiting a vulnerability or using stolen credentials.
  2. Privilege Escalation (if necessary): The attacker escalates privileges to gain administrative rights, which are required to modify the registry.
  3. Registry Modification: The attacker modifies the HKLM\SYSTEM\*ControlSet*\Control\SecurityProviders\WDigest\UseLogonCredential registry key, setting its value to 1 (or 0x00000001), using tools like reg.exe or PowerShell.
  4. Credential Exposure: The system begins storing user passwords in cleartext in memory due to the modified WDigest settings.
  5. Credential Dumping: The attacker uses credential dumping tools like Mimikatz to extract the cleartext passwords from memory.
  6. Lateral Movement: The attacker uses the stolen credentials to move laterally to other systems within the network.
  7. Data Exfiltration / Persistence: The attacker may use the compromised accounts to access sensitive data or establish persistence for long-term access.

Impact

Successful modification of the WDigest security provider allows attackers to dump cleartext passwords from memory, potentially compromising entire domains. This can lead to unauthorized access to sensitive data, systems, and services. This impacts all Windows environments, though its effectiveness is higher on older systems. An attacker with domain admin credentials can compromise the entire environment.

Recommendation

  • Deploy the Sigma rule "Detect WDigest Registry Modification" to your SIEM to detect malicious modifications of the UseLogonCredential registry key in near real-time.
  • Enable Sysmon registry event logging to monitor registry modifications, which is a requirement for the Sigma rule "Detect WDigest Registry Modification".
  • Investigate any alerts generated by the Sigma rule "Detect WDigest Registry Modification" with high priority, as this behavior is typically indicative of an active attacker.
  • Monitor for the execution of credential dumping tools, such as Mimikatz, after a WDigest registry modification is detected.
  • Implement the principle of least privilege to minimize the number of accounts with administrative rights, reducing the impact of credential theft.

Detection coverage 3

Detect WDigest Registry Modification

high

Detects attempts to modify the WDigest security provider registry key to enable cleartext password storage.

sigma tactics: credential_access, defense_evasion techniques: T1003.001, T1112 sources: registry_set, windows

Detect WDigest Registry Modification (PowerShell)

high

Detects attempts to modify the WDigest security provider registry key using PowerShell.

sigma tactics: credential_access, defense_evasion techniques: T1003.001, T1112 sources: process_creation, windows

Detect WDigest Registry Modification (reg.exe)

high

Detects attempts to modify the WDigest security provider registry key using reg.exe.

sigma tactics: credential_access, defense_evasion techniques: T1003.001, T1112 sources: process_creation, windows

Detection queries are available on the platform. Get full rules →