Detectionhightest

Wdigest CredGuard Registry Modification

Detects potential malicious modification of the property value of IsCredGuardEnabled from HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest to disable Cred Guard on a system. This is usually used with UseLogonCredential to manipulate the caching credentials.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)Created Sun Aug 25Updated Sat Nov 271a2d6c47-75b0-45bd-b133-2c0be75349fdwindows

Log Source

WindowsRegistry Event

ProductWindows← raw: windows

CategoryRegistry Event← raw: registry_event

Events for Windows Registry modifications including key creation, modification, and deletion.

Detection Logic

detection:
    selection:
        TargetObject|endswith: '\IsCredGuardEnabled'
    condition: selection

False Positives

Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References

Resolving title…

teamhydra.blog

MITRE ATT&CK

Tactics

TA0003 · Persistence TA0005 · Defense Evasion

Techniques

T1112 · Modify Registry

Rule Metadata

Rule ID

1a2d6c47-75b0-45bd-b133-2c0be75349fd

Status

test

Level

high

Type

Detection

Created

Sun Aug 25

Modified

Sat Nov 27

Author

Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)

Path

rules/windows/registry/registry_event/registry_event_disable_wdigest_credential_guard.yml

Raw Tags

attack.persistenceattack.defense-evasionattack.t1112

View on GitHub