sigma-rules/rules/windows/credential_access_mod_wdigest_security_provider.toml

[metadata]
creation_date = "2021/01/19"
maturity = "production"
updated_date = "2021/03/03"

[rule]
author = ["Elastic"]
description = """
Identifies attempts to modify the WDigest security provider in the registry to force the user's password to be stored in
clear text in memory. This behavior can be indicative of an adversary attempting to weaken the security configuration of
an endpoint. Once the UseLogonCredential value is modified, the adversary may attempt to dump clear text passwords from
memory.
"""
from = "now-9m"
index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
language = "eql"
license = "Elastic License v2"
name = "Modification of WDigest Security Provider"
references = [
    "https://www.csoonline.com/article/3438824/how-to-detect-and-halt-credential-theft-via-windows-wdigest.html",
    "https://www.praetorian.com/blog/mitigating-mimikatz-wdigest-cleartext-credential-theft?edition=2019",
]
risk_score = 73
rule_id = "d703a5af-d5b0-43bd-8ddb-7a5d500b7da5"
severity = "high"
tags = ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access"]
timestamp_override = "event.ingested"
type = "eql"

query = '''
registry where event.type in ("creation", "change") and
  registry.path:"HKLM\\SYSTEM\\*ControlSet*\\Control\\SecurityProviders\\WDigest\\UseLogonCredential" and
  registry.data.strings:"1"
'''


[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1003"
name = "OS Credential Dumping"
reference = "https://attack.mitre.org/techniques/T1003/"
[[rule.threat.technique.subtechnique]]
id = "T1003.001"
name = "LSASS Memory"
reference = "https://attack.mitre.org/techniques/T1003/001/"



[rule.threat.tactic]
id = "TA0006"
name = "Credential Access"
reference = "https://attack.mitre.org/tactics/TA0006/"