Hi there !! Thank you for visiting @SecurityResearch-Note. Today, I'm diving into the WDigest credential harvesting attack, breaking it down into three parts.
- WDigest credential harvesting - Attack technique
- WDigest credential harvesting - Detection
- WDigest credential harvesting - Threat Hunting
WDigest, an outdated authentication protocol still found in corporate networks, is exploited by attackers to steal passwords and evade security measures. Its use exposes passwords in plain text, making it a favored target. Attackers modify registry settings to enable WDigest, often using various attack vectors.
WDigest credential harvesting attack flow, Threat Analytics in Microsoft 365 Defender
The attack flow begins with disabling the antivirus solution to change a registry key, enabling WDigest, and downloading the Mimikatz tool. Following this, a command is executed to enable WDigest and run the Mimikatz tool using the "sekurlsa::wdigest" command.
- DisableRealtimeMonitoring, [Real-time protection]
- SpynetReporting, [Cloud-delivered protection]
- SubmitSamplesConsent, [Automatic sample submission]
reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /f
reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpynetReporting" /t REG_DWORD /d 0 /f
reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SubmitSamplesConsent" /t REG_DWORD /d 2 /f
Important
These commands disabled Microsoft Defender Antivirus configurations. To prevent and detect these attack techniques, enabling Tamper Protection is the most effective approach, as it safeguards against disabling antivirus.
MITRE | ATT&CK, Modify Registry, T1112, Wdigest
reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest" /v UseLogonCredential /t REG_DWORD /d 1 /f
Important
Even if the antivirus didn't detect and prevent the WDigest configuration change, Microsoft Defender for Endpoint, as EDR solution, can detect these activities and provide alerts.
Download - GitHub - ParrotSec/mimikatz
mimikatz # privilege::debug
mimikatz # sekurlsa::wdigest
Important
In terms of endpoint protection, Microsoft Defender Antivirus and Microsoft Defender for Endpoint are the most effective solutions for preventing and detecting Mimikatz activities. Additionally, when it comes to addressing lateral movement and enhancing identity visibility, Microsoft Defender for Identity is a valuable product for detecting such activities.
After simulating a WDigest credential harvesting attack, let's examine how this attack is mapped into a single incident in Microsoft 365 Defender portal.
All the attack techniques, from disabling antivirus to executing Mimikatz, were detected by Microsoft Defender for Endpoint, generating 11 alerts. Additionally, Threat Analytics provides insights related to Mimikatz and WDigest credential harvesting.
In the incident page, you might see a number of alerts, related assets, MITRE techniques, and more. At the same time, I'd like to highlight some alerts from the simulation as shown below.
A protection feature in Microsoft Defender Antivirus has been turned off. An attacker might be trying to evade detection.
An attempt to turn on the WDigest authentication provider through the registry was observed. If the attempt is successful, WDigest will load on the next restart and begin to store credentials as plaintext in LSASS process memory. An attacker might be attempting to collect those credentials.
A known credential theft tool execution command line was detected. Either the process itself or its command line indicated an intent to dump users' credentials, keys, plain-text passwords and more.
Note
The two mimikatz commands (mimikatz # privilege::debug, mimikatz # sekurlsa::wdigest) which I simulated on the device were detected by Microsoft Defender for Endpoint. Also, an alert - 'Mimikatz credential theft tool' was triggered when downloading Mimikatz on the device.
For threat hunting purposes, here are some KQL queries to track activities like disabling antivirus, changing WDigest configurations, and executing Mimikatz tool.
This query will hunt for registry key activities related to Microsoft Defender Antivirus.
DeviceRegistryEvents
| where Timestamp > ago(30d)
| where RegistryKey has @"HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender"
| project-reorder Timestamp, DeviceId, DeviceName, ActionType, RegistryKey, RegistryValueType, RegistryValueName, RegistryValueData
| sort by Timestamp desc This query helps identify attempts to enable WDigest credentiall caching through the registry.
union DeviceRegistryEvents, DeviceProcessEvents
// Find attempts to turn on WDigest credential caching
| where RegistryKey contains "wdigest" and RegistryValueName == "UseLogonCredential" and RegistryValueData == "1" or
// Find processes created with commandlines that attempt to turn on WDigest caching
ProcessCommandLine has "WDigest" and ProcessCommandLine has "UseLogonCredential" and ProcessCommandLine has "dword" and ProcessCommandLine has "1"
| project Timestamp, DeviceName, PreviousRegistryValueData,
RegistryKey, RegistryValueName, RegistryValueData, FileName, ProcessCommandLine,
InitiatingProcessAccountName, InitiatingProcessFileName,
InitiatingProcessCommandLine, InitiatingProcessParentFileNameSource : WDigest credential harvesting, Threat Analytics in Microsoft 365 Defender
This query helps display all unique Mimikatz command-line activities for each device.
DeviceProcessEvents
| where Timestamp > ago(30d)
| where FileName in~ ("powershell.exe","powershell_ise.exe", "mimikatz.exe")
| where ProcessCommandLine has_any ("sekurlsa","kerberos","crypto", "vault", "lsadump") or InitiatingProcessCommandLine has_any ("sekurlsa","kerberos","crypto", "vault", "lsadump")
| summarize make_set(ProcessCommandLine) by DeviceId, DeviceName- Forcing WDigest to Store Credentials in Plaintext
- "WDigest credential harvesting", from Threat Analytics in Microsoft 365 Defender
The views and opinions expressed herein are those of the author and do not necessarily reflect the views of company.