The “Security Spotlight” blog series provides insight into emerging cyberthreats and shares tips for how you can leverage LogRhythm’s security tools, services, and out-of-the-box content to defend against attacks.
In this Security Spotlight, we’ll be talking about OS Credential Dumping done via WDigest and how to detect it within LogRhythm SIEM and LogRhythm Axon (MITRE ATT&CK® Technique T1003.001).
What is WDigest?
WDigest is a protocol used for HTTP Digest Authentication and Simple Authentication Security Layer (SASL) exchanges. SASL functions as a framework for authentication in Internet protocols, designed specifically to decouple authentication protocols from applications. This separation grants applications the flexibility to employ any authentication method supported by SASL, allowing for a variety of authentication methods to be used.
Upon a user’s login, WDigest generates a Digest Access Authentication. This process circumvents sending a password in plaintext over the network by utilizing a hash function that generates a unique “digest”. This digest is then used to authenticate the user without exposing the password. However, for WDigest to construct this digest, it needs to retain a copy of the plaintext password in memory. This is where the potential for its misuse comes into play.
Why You Need to Look Out for Credential Dumping Done via WDigest
Cyber attackers are always seeking ways in which they can gain unauthorized entry into systems and networks. One technique that allows them to do just that is credential dumping. This technique involves extracting user credentials from a system’s memory. WDigest, owing to its design, inadvertently facilitates this due to it storing plaintext passwords in its memory.
By using tools like Mimikatz, attackers can dump these credentials and use them to escalate their privileges or move laterally within a network. Moreover, they can maintain persistence by reusing valid credentials to access resources, even after all initial malware or backdoors have been removed.
A notable incident involving this kind of credential dumping occurred during the 2016 Ukraine Electric Power Attack. A known GRU threat group called The Sandworm Team used Mimikatz to capture and use legitimate credentials. While the attack itself was highly intricate and utilized dozens of techniques, just by obtaining access to trusted accounts, the attackers managed to move laterally within the network and access vulnerable systems. This alone caused disruptions in distribution substations within the Ukrainian power grid.
How Can LogRhythm Help You?
LogRhythm’s Analytic Co-Pilot team has crafted rules that detect instances where WDigest has been configured by triggering against its registry value. Specifically, they register when the UseLogonCredential value has been switched on with a display reading of 0x1.
The team developed regex matching rules that look for such a change, which indicates that passwords have been stored in plaintext on a machine. In the event attackers find their way onto said machine, they will likely attempt to dump the credentials using tools such as Mimikatz.
Hence, LogRhythm generally advises deactivating WDigest’s plaintext credential-handling feature unless absolutely necessary. This can be done by modifying the registry value from 1 to 0.
For more information on how to enable these rules within your LogRhythm deployment, check out our community page to read more, download, and then import the rule into your platform.
For other Security Spotlight episodes, you can access the full playlist here.