RP2004: Wdigest credential access

Summary

ID	RP2004
Brief Description	Response playbook for detected Wdigest credential access.
Author	@Cyberok
Creation Date	2023/02/03
Modification Date	2023/02/03
Tags	Status: Stable Severity:High Tlp: Amber Pap: White Windows
Usecases	Forcing WDigest to store credentials in plaintext

Description

A configuration related to WDigest could hinder the security of your environment, specifically on the endpoint, by allowing an attacker to steal cleartext credentials from memory. There are measures you can take to remediate this and ensure that your endpoints and credentials are more secure. Microsoft’s security update (KB2871997) addresses the issue on older versions of Windows, whereas newer versions should be secured by default.

Checking the registry on all of your Windows endpoints for the WDigest setting should be a priority, as the loss of credentials could lead to the loss of sensitive information. One way to do this is through command-line queries against all your hosts, but a quicker way is to automate this type of auditing against your endpoint and have the data presented to you in an easy-to-consume report.

Workflow

For better triage and response actions result you need to identify and analyze artifacts from use case.

1. Look for windows registry modification commands. Noticed two variations of this command being used, both of which eventually sets the registry value of UseLogonCredential to 1. In systems where the WDigest registry is missing or removed.

   "Set-ItemProperty -Force
   Path 'HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest'
   Name "UseLogonCredential"
   Value '1'"
   

   In systems where the WDigest registry is set to not store clear passwords.

   "reg" add
   HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v
   UseLogonCredential /t REG_DWORD /d 1 /f
   

2. Search for any credential access tool's artifacts. For example, the actor can use rundll32.exe and comsvcs.dll with its built-in MiniDump function to dump passwords from LSASS into a dump file. The command to accomplish this often specifies the output to save the passwords from LSASS. The file name is also reversed to evade detections (ssasl.dmp):

   powershell.exe" /c Remove-Item -Path C:\windows\temp\ssasl.pmd
   -Force -ErrorAction Ignore;
   rundll32.exe C:\windows\System32\comsvcs.dll,
   MiniDump (Get-Process lsass).id C:\windows\temp\ssasl.pmd full | out-host;
   Compress-Archive C:\windows\temp\ssasl.pmd C:\windows\temp\[name].zip
   

3. Take any containment action depending on the situation and level of asset's criticality. For example, if credential access attempt was successful, it may be reasonable to lock compromised users:

   • Lock user account

4. Take any eradication action depending on the situation and level of asset's criticality. For example, credential can be used as arguments to malicous commands:

   • Revoke authentication credentials
   • Remove registry key (HKEY_LOCAL_MACHINESystemCurrentControlSetControlSecurityProvidersWDigestUseLogonCredential)

5. Take recovery action depending on previous containment and eradication actions:

   • Unblock blocked user (if needed)
   • Reset user password
   • Recover modification
6. Report incident, remove security breaches, conduct lessons learned exercises.

NOTE: if WDigest authentication is not being used, customers can apply the FixIt found on the KB article to disable WDigest. Doing this will eliminate all cleartext credentials from LSASS memory. The easiest way to do this would be through group policy, but a quick script also works:

reg add
HKLMSYSTEMCurrentControlSetControlSecurityProvidersWDigest /v
UseLogonCredential /t REG_DWORD /d 0

Once you’ve pushed the security update, and the registry key update to all of your servers, you can ensure you’ve done it successfully by querying the registry to see that it exists and is not set to 1.

reg query
HKLMSYSTEMCurrentControlSetControlSecurityProvidersWDigest /v
UseLogonCredential

Response discovery mapping

ARTIFACT	RESPONSE ACTION	RESPONSE ACTION OBSERVABLES
Windows Registry	List registry key accessed List registry key modified Look for reg add/(or delete and create) commands	Credential dump attempt artifact Examine under what user's context modification has been done
Process	Identify means of attack Search for possible tools artifacts to define fact of credential dump	Identified credential dump tool
Login Session	Identify affected systems and users Look for user's logon on compomised host	Compomised password
Encrypted Credential	Revoke authentication credentials If credential access is confirmed	Restrict credential usage
Password	Reset password Depends on needed context.	New password

P.S. Artifacts from "Attack Prerequisites" section ( in this case : Host ) should be used in Operational Preparations and as incoming arguments for other response actions, for example

response action: list registry keys accessed

list_registry_keys_accessed (enabled=True, host)

Response mindmap diagram

Playbook Actions

Preparation

Operational Preparations

Identification

List Registry Keys Accessed
List Registry Keys Modified
Identify affected systems and users
Identify means of attack

Containment

Lock User Account
Powershell disable AD user

Eradication

Remove Registry Key
Remove Windows registry key with Powershell
Reset Authentication Credentials
Revoke Authentication Credentials

Recovery

Unlock Locked User Account
Powershell enable AD user
[Unimplemented] Recover modification

Lessons Learned

Develop Incident Report
Conduct Lessons Learned Exercise

---

Artifacts

• Host
• Login Session
• Windows Registry
• Credential
• Password