UC0032: Forcing WDigest to store credentials in plaintext
Summary
| ID | UC0032 |
|---|---|
| Brief Description | Force WDigest to store secrets in plaintext. |
| Author | Alex@Cyberok |
| Creation Date | 2023/02/28 |
| Modification Date | 2023/02/28 |
| ATT&CK Techniques | |
| Tags |
|
| Linked Response Playbooks | |
| Artifacts |
Description
As part of WDigest authentication provider, Windows versions up to 8 and 2012 used to store logon credentials in memory in plaintext by default, which is no longer the case with newer Windows versions.
It is still possible, however, to force WDigest to store secrets in plaintext.
Digest Authentication is a challenge/response protocol that was primarily used in Windows Server 2003 for LDAP and web-based authentication. It utilizes Hypertext Transfer Protocol (HTTP) and Simple Authentication Security Layer (SASL) exchanges to authenticate.
Attack mapping
| ARTIFACT | OBJECT | DESCRIPTION |
|---|---|---|
| Attack Prerequisites | ||
| Host | Compromised host | A host to which an attacker has a privileged access |
| Login Session | Victim's login session on compromised host | Encypted account's authentication credentials |
| Side Observables | ||
| Windows Registry | WDigest /v UseLogonCredential hive | Registry key to force the WDigest to store credentials in plaintext |
| Encrypted Credential | Wdigest credentials | Credential which can be used for furher dumping and cracking |
| Password | Victim's password | Password in plaintext which can be displayed and received by attacker |
Attack results
Modifying Windows Registry Key responsible for WDigest credentials store makes secrets to be accessible in plaintext.
| RESOURCE | DESCRIPTION |
|---|---|
| Attack Prerequisites | |
| Privileged Access | Compromised host with privileged access |
| Result Consequences | |
| Credential Access | Attacker get a plaintext password which can be used in next stages of attack, as an example for lateral movement |
Attack progress
1) Let's first make sure that wdigest is not storing credentials in plaintext on our target machine running Windows 10:
Note the password field is null:
2) Now as an attacker, we can modify the following registry key to force the WDigest to store credentials in plaintext next time someone logs on to the target system:
reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 1
Possible usage
1) As was the case with the DEV-0270’s PHOSPHOROUS ransomware campaign, after the threat actors had compromised the device and gained admin privileges, DEV-0270 used LOLBINs to conduct their credential theft, as this removes the need to drop common credential theft tools more likely to be detected and blocked by antivirus and endpoint detection and response (EDR) solutions. One of these processes starts by enabling WDigest in the registry, which results in passwords stored in cleartext on the device and saves the actor time by not having to crack a password hash.
The actor then uses rundll32.exe and comsvcs.dll with its built-in MiniDump function to dump passwords from LSASS into a dump file. The command to accomplish this often specifies the output to save the passwords from LSASS. The file name is also reversed to evade detections (ssasl.dmp):
You can see more info here - MS Report
Attack diagram
References
Forcing WDigest to Store Credentials in Plaintext Detect, mitigate and respond to WDigest attacks with Logpoint