Detectionhightest

Wdigest Enable UseLogonCredential

Detects potential malicious modification of the property value of UseLogonCredential from HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest to enable clear-text credentials

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)Created Thu Sep 12Updated Thu Aug 17d6a9b252-c666-4de6-8806-5561bbbd3bdcwindows

Log Source

WindowsRegistry Set

ProductWindows← raw: windows

CategoryRegistry Set← raw: registry_set

Detection Logic

detection:
    selection:
        TargetObject|endswith: 'WDigest\UseLogonCredential'
        Details: DWORD (0x00000001)
    condition: selection

False Positives

Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References

Resolving title…

threathunterplaybook.com

Resolving title…

support.microsoft.com

Resolving title…

github.com

MITRE ATT&CK

Tactics

TA0003 · Persistence TA0005 · Defense Evasion

Techniques

T1112 · Modify Registry

Rule Metadata

Rule ID

d6a9b252-c666-4de6-8806-5561bbbd3bdc

Status

test

Level

high

Type

Detection

Created

Thu Sep 12

Modified

Thu Aug 17

Author

Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)

Path

rules/windows/registry/registry_set/registry_set_wdigest_enable_uselogoncredential.yml

Raw Tags

attack.persistenceattack.defense-evasionattack.t1112

View on GitHub