Detection rules › Splunk
WDigest Forced Credential Caching (Sysmon)
WDigest is a legacy authentication protocol used by Windows, primarily for backward compatibility, that stores credentials in memory, potentially allowing plaintext password access if enabled. Threat actors may adjust wdigest registry values to facilitate credential harvesting. This use case detects commands to modify the WDigest registry value.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Persistence | T1112 Modify Registry |
| Defense Impairment | T1112 Modify Registry |
| Credential Access | T1003.005 OS Credential Dumping: Cached Domain Credentials |
References
- https://www.microsoft.com/en-us/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/
- https://blog.talosintelligence.com/lazarus-three-rats/
- https://www.huntress.com/blog/third-party-pharmaceutical-vendor-linked-to-pharmacy-and-health-clinic-cyberattack
- https://twitter.com/Purp1eW0lf/status/1735588467092922707/photo/1
Event coverage
| Provider | Event | Title |
|---|---|---|
| Sysmon | Event ID 1 | Process creation |
| Sysmon | Event ID 13 | RegistryEvent (Value Set) |
Rule body yaml
id: '24482.45159'
title: WDigest Forced Credential Caching
description: 'WDigest is a legacy authentication protocol used by Windows, primarily
for backward compatibility, that stores credentials in memory, potentially allowing
plaintext password access if enabled. Threat actors may adjust wdigest registry
values to facilitate credential harvesting. This use case detects commands to modify
the WDigest registry value. '
logic_format: Splunk
logic: '`get_endpoint_data` `get_endpoint_data_sysmon` ((TERM(EventCode=1) OR "<EventID>1<"
"add") OR (TERM(EventCode=13) OR "<EventID>13<")) "\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\WDigest"
"UseLogonCredential" | table _time, host, user signature_id, process, process_*
| bin span=1s | stats values(*) as * by _time, host '
techniques:
- defense-evasion:modify registry
- credential-access:os credential dumping:cached domain credentials
technique_id:
- T1112
- T1003.005
data_category:
- Windows Sysmon
references:
- https://www.microsoft.com/en-us/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/
- https://blog.talosintelligence.com/lazarus-three-rats/
- https://www.huntress.com/blog/third-party-pharmaceutical-vendor-linked-to-pharmacy-and-health-clinic-cyberattack
- https://twitter.com/Purp1eW0lf/status/1735588467092922707/photo/1
Stages and Predicates
Stage 1: search
`get_endpoint_data` `get_endpoint_data_sysmon` ((TERM(EventCode=1) OR "<EventID>1<" "add") OR (TERM(EventCode=13) OR "<EventID>13<")) "\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\WDigest" "UseLogonCredential"
Stage 2: table
| table _time, host, user signature_id, process, process_*
Stage 3: bucket
| bin span=1s
Stage 4: stats
| stats values(*) as * by _time, host
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
EventCode | eq |
|
Search terms
Bare-string tokens in the SPL search body. Splunk matches each token against _raw (the untyped raw event text) anywhere it appears, not against a specific field. These don't surface in the Indicators table because they aren't predicates on a known field.
| Stage | Term |
|---|---|
| 1 | TERM |
| 1 | "<EventID>1<" |
| 1 | "add" |
| 1 | TERM |
| 1 | "<EventID>13<" |
| 1 | "\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\WDigest" |
| 1 | "UseLogonCredential" |