Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. WDigest downgrade attack

WDigest downgrade attack

Back
Idf6502545-ae3a-4232-a8b0-79d87e5c98d7
RulenameWDigest downgrade attack
DescriptionWhen the WDigest Authentication protocol is enabled, plain text passwords are stored in the Local Security Authority Subsystem Service (LSASS) exposing them to theft. This setting will prevent WDigest from storing credentials in memory.

Ref: https://www.stigviewer.com/stig/windows_7/2016-12-19/finding/V-72753
SeverityMedium
TacticsCredentialAccess
TechniquesT1003
Required data connectorsSecurityEvents
WindowsSecurityEvents
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Endpoint Threat Protection Essentials/Analytic Rules/WDigestDowngradeAttack.yaml
Version1.0.3
Arm templatef6502545-ae3a-4232-a8b0-79d87e5c98d7.json
Deploy To Azure
Event
| where EventLog =~ "Microsoft-Windows-Sysmon/Operational" and EventID in (13)
| parse EventData with * 'TargetObject">' TargetObject "<" * 'Details">' Details "<" * 
| where TargetObject=~"HKLM\\System\\CurrentControlSet\\Control\\SecurityProviders\\WDigest\\UseLogonCredential" and Details !="DWORD (0x00000000)"
| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventID, Computer,  TargetObject, Details
| extend HostName = iif(Computer has '.',substring(Computer,0,indexof(Computer,'.')),Computer) , DnsDomain = iif(Computer has '.',substring(Computer,indexof(Computer,'.')+1),'')

relevantTechniques:
- T1003
name: WDigest downgrade attack
queryFrequency: 1h
version: 1.0.3
triggerThreshold: 0
severity: Medium
requiredDataConnectors:
- connectorId: SecurityEvents
  dataTypes:
  - SecurityEvent
- connectorId: WindowsSecurityEvents
  dataTypes:
  - SecurityEvent
tactics:
- CredentialAccess
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Endpoint Threat Protection Essentials/Analytic Rules/WDigestDowngradeAttack.yaml
query: |
  Event
  | where EventLog =~ "Microsoft-Windows-Sysmon/Operational" and EventID in (13)
  | parse EventData with * 'TargetObject">' TargetObject "<" * 'Details">' Details "<" * 
  | where TargetObject=~"HKLM\\System\\CurrentControlSet\\Control\\SecurityProviders\\WDigest\\UseLogonCredential" and Details !="DWORD (0x00000000)"
  | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventID, Computer,  TargetObject, Details
  | extend HostName = iif(Computer has '.',substring(Computer,0,indexof(Computer,'.')),Computer) , DnsDomain = iif(Computer has '.',substring(Computer,indexof(Computer,'.')+1),'')  
kind: Scheduled
entityMappings:
- fieldMappings:
  - columnName: TargetObject
    identifier: Key
  entityType: RegistryKey
- fieldMappings:
  - columnName: Computer
    identifier: FullName
  - columnName: HostName
    identifier: HostName
  - columnName: DnsDomain
    identifier: DnsDomain
  entityType: Host
queryPeriod: 1h
triggerOperator: gt
id: f6502545-ae3a-4232-a8b0-79d87e5c98d7
status: Available
description: |
  'When the WDigest Authentication protocol is enabled, plain text passwords are stored in the Local Security Authority Subsystem Service (LSASS) exposing them to theft. This setting will prevent WDigest from storing credentials in memory.
  Ref: https://www.stigviewer.com/stig/windows_7/2016-12-19/finding/V-72753'