WDigest downgrade attack
Id | f6502545-ae3a-4232-a8b0-79d87e5c98d7 |
Rulename | WDigest downgrade attack |
Description | When the WDigest Authentication protocol is enabled, plain text passwords are stored in the Local Security Authority Subsystem Service (LSASS) exposing them to theft. This setting will prevent WDigest from storing credentials in memory. Ref: https://www.stigviewer.com/stig/windows_7/2016-12-19/finding/V-72753 |
Severity | Medium |
Tactics | CredentialAccess |
Techniques | T1003 |
Required data connectors | SecurityEvents |
Kind | Scheduled |
Query frequency | 1h |
Query period | 1h |
Trigger threshold | 0 |
Trigger operator | gt |
Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Endpoint Threat Protection Essentials/Analytic Rules/WDigestDowngradeAttack.yaml |
Version | 1.0.0 |
Arm template | f6502545-ae3a-4232-a8b0-79d87e5c98d7.json |
Event
| where EventLog == "Microsoft-Windows-Sysmon/Operational" and EventID in (13)
| parse EventData with * 'TargetObject">' TargetObject "<" * 'Details">' Details "<" *
| where TargetObject=="HKLM\\System\\CurrentControlSet\\Control\\SecurityProviders\\WDigest\\UseLogonCredential" and Details !="DWORD (0x00000000)"
| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventID, Computer, TargetObject, Details
name: WDigest downgrade attack
query: |
Event
| where EventLog == "Microsoft-Windows-Sysmon/Operational" and EventID in (13)
| parse EventData with * 'TargetObject">' TargetObject "<" * 'Details">' Details "<" *
| where TargetObject=="HKLM\\System\\CurrentControlSet\\Control\\SecurityProviders\\WDigest\\UseLogonCredential" and Details !="DWORD (0x00000000)"
| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventID, Computer, TargetObject, Details
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Endpoint Threat Protection Essentials/Analytic Rules/WDigestDowngradeAttack.yaml
queryFrequency: 1h
triggerThreshold: 0
requiredDataConnectors:
- dataTypes:
- SecurityEvent
connectorId: SecurityEvents
version: 1.0.0
status: Available
queryPeriod: 1h
id: f6502545-ae3a-4232-a8b0-79d87e5c98d7
triggerOperator: gt
entityMappings:
- fieldMappings:
- identifier: Key
columnName: TargetObject
entityType: RegistryKey
- fieldMappings:
- identifier: FullName
columnName: Computer
entityType: Host
relevantTechniques:
- T1003
severity: Medium
description: |
'When the WDigest Authentication protocol is enabled, plain text passwords are stored in the Local Security Authority Subsystem Service (LSASS) exposing them to theft. This setting will prevent WDigest from storing credentials in memory.
Ref: https://www.stigviewer.com/stig/windows_7/2016-12-19/finding/V-72753'
kind: Scheduled
tactics:
- CredentialAccess
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/f6502545-ae3a-4232-a8b0-79d87e5c98d7')]",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/f6502545-ae3a-4232-a8b0-79d87e5c98d7')]",
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
"kind": "Scheduled",
"apiVersion": "2022-11-01",
"properties": {
"displayName": "WDigest downgrade attack",
"description": "'When the WDigest Authentication protocol is enabled, plain text passwords are stored in the Local Security Authority Subsystem Service (LSASS) exposing them to theft. This setting will prevent WDigest from storing credentials in memory.\nRef: https://www.stigviewer.com/stig/windows_7/2016-12-19/finding/V-72753'\n",
"severity": "Medium",
"enabled": true,
"query": "Event\n| where EventLog == \"Microsoft-Windows-Sysmon/Operational\" and EventID in (13)\n| parse EventData with * 'TargetObject\">' TargetObject \"<\" * 'Details\">' Details \"<\" * \n| where TargetObject==\"HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\SecurityProviders\\\\WDigest\\\\UseLogonCredential\" and Details !=\"DWORD (0x00000000)\"\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventID, Computer, TargetObject, Details\n",
"queryFrequency": "PT1H",
"queryPeriod": "PT1H",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0,
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"CredentialAccess"
],
"techniques": [
"T1003"
],
"alertRuleTemplateName": "f6502545-ae3a-4232-a8b0-79d87e5c98d7",
"customDetails": null,
"entityMappings": [
{
"fieldMappings": [
{
"identifier": "Key",
"columnName": "TargetObject"
}
],
"entityType": "RegistryKey"
},
{
"fieldMappings": [
{
"identifier": "FullName",
"columnName": "Computer"
}
],
"entityType": "Host"
}
],
"status": "Available",
"templateVersion": "1.0.0",
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Endpoint Threat Protection Essentials/Analytic Rules/WDigestDowngradeAttack.yaml"
}
}
]
}