Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. WDigest downgrade attack

WDigest downgrade attack

Back
Idf6502545-ae3a-4232-a8b0-79d87e5c98d7
RulenameWDigest downgrade attack
DescriptionWhen the WDigest Authentication protocol is enabled, plain text passwords are stored in the Local Security Authority Subsystem Service (LSASS) exposing them to theft. This setting will prevent WDigest from storing credentials in memory.

Ref: https://www.stigviewer.com/stig/windows_7/2016-12-19/finding/V-72753
SeverityMedium
TacticsCredentialAccess
TechniquesT1003
Required data connectorsSecurityEvents
WindowsSecurityEvents
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Endpoint Threat Protection Essentials/Analytic Rules/WDigestDowngradeAttack.yaml
Version1.0.3
Arm templatef6502545-ae3a-4232-a8b0-79d87e5c98d7.json
Deploy To Azure
Event
| where EventLog =~ "Microsoft-Windows-Sysmon/Operational" and EventID in (13)
| parse EventData with * 'TargetObject">' TargetObject "<" * 'Details">' Details "<" * 
| where TargetObject=~"HKLM\\System\\CurrentControlSet\\Control\\SecurityProviders\\WDigest\\UseLogonCredential" and Details !="DWORD (0x00000000)"
| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventID, Computer,  TargetObject, Details
| extend HostName = iif(Computer has '.',substring(Computer,0,indexof(Computer,'.')),Computer) , DnsDomain = iif(Computer has '.',substring(Computer,indexof(Computer,'.')+1),'')

name: WDigest downgrade attack
id: f6502545-ae3a-4232-a8b0-79d87e5c98d7
description: |
  'When the WDigest Authentication protocol is enabled, plain text passwords are stored in the Local Security Authority Subsystem Service (LSASS) exposing them to theft. This setting will prevent WDigest from storing credentials in memory.
  Ref: https://www.stigviewer.com/stig/windows_7/2016-12-19/finding/V-72753'  
triggerThreshold: 0
entityMappings:
- fieldMappings:
  - columnName: TargetObject
    identifier: Key
  entityType: RegistryKey
- fieldMappings:
  - columnName: Computer
    identifier: FullName
  - columnName: HostName
    identifier: HostName
  - columnName: DnsDomain
    identifier: DnsDomain
  entityType: Host
version: 1.0.3
triggerOperator: gt
query: |
  Event
  | where EventLog =~ "Microsoft-Windows-Sysmon/Operational" and EventID in (13)
  | parse EventData with * 'TargetObject">' TargetObject "<" * 'Details">' Details "<" * 
  | where TargetObject=~"HKLM\\System\\CurrentControlSet\\Control\\SecurityProviders\\WDigest\\UseLogonCredential" and Details !="DWORD (0x00000000)"
  | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventID, Computer,  TargetObject, Details
  | extend HostName = iif(Computer has '.',substring(Computer,0,indexof(Computer,'.')),Computer) , DnsDomain = iif(Computer has '.',substring(Computer,indexof(Computer,'.')+1),'')  
tactics:
- CredentialAccess
kind: Scheduled
queryFrequency: 1h
severity: Medium
queryPeriod: 1h
requiredDataConnectors:
- dataTypes:
  - SecurityEvent
  connectorId: SecurityEvents
- dataTypes:
  - SecurityEvent
  connectorId: WindowsSecurityEvents
status: Available
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Endpoint Threat Protection Essentials/Analytic Rules/WDigestDowngradeAttack.yaml
relevantTechniques:
- T1003