wdigest-caching | SOC Hunt Feed

Hunt Hypothesis

Attackers may be leveraging the WDigest credential caching mechanism to exfiltrate stored credentials from compromised systems, as this legacy protocol can persist credentials in memory, providing a potential attack vector for credential reuse. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential lateral movement or persistence tactics that could lead to broader network compromise.

KQL Query

union DeviceRegistryEvents, DeviceProcessEvents
// Find attempts to turn on WDigest credential caching
| where RegistryKey contains "wdigest" and RegistryValueName == "UseLogonCredential" and 
RegistryValueData == "1" or 
// Find processes created with commandlines that attempt to turn on WDigest caching
ProcessCommandLine has "WDigest" and ProcessCommandLine has "UseLogonCredential" and 
ProcessCommandLine has "dword" and ProcessCommandLine has "1"
| project Timestamp, DeviceName, PreviousRegistryValueData,  
RegistryKey, RegistryValueName, RegistryValueData, FileName, ProcessCommandLine, 
InitiatingProcessAccountName, InitiatingProcessFileName, 
InitiatingProcessCommandLine, InitiatingProcessParentFileName

Analytic Rule Definition

id: 05a01ec8-ecab-4f9a-9aae-8d8cc061fe05
name: wdigest-caching
description: |
  This query was originally published in the threat analytics report, WDigest credential harvesting.
  WDigest is a legacy authentication protocol dating from Windows XP. While still used on some corporate networks, this protocol can be manipulated by attackers to dump system credentials.
  The Microsoft Security Response Center published an overview of KB2871997, which addresses WDigest use on older platforms. More recent versions of Windows can be protected with a holistic security approach that follows the principle of least privilege.
  The following query returns any attempts to turn WDigest credential caching on through the registry.
  References:
  https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2003/cc778868(v=ws.10)?redirectedfrom=MSDN
  https://msrc-blog.microsoft.com/2014/06/05/an-overview-of-kb2871997/
  https://www.catalog.update.microsoft.com/Search.aspx?q=KB2871997
  https://docs.microsoft.com/windows-server/identity/ad-ds/plan/security-best-practices/implementing-least-privilege-administrative-models
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - DeviceRegistryEvents
  - DeviceProcessEvents
tactics:
- Credential Access
- Vulnerability
query: |
  union DeviceRegistryEvents, DeviceProcessEvents
  // Find attempts to turn on WDigest credential caching
  | where RegistryKey contains "wdigest" and RegistryValueName == "UseLogonCredential" and 
  RegistryValueData == "1" or 
  // Find processes created with commandlines that attempt to turn on WDigest caching
  ProcessCommandLine has "WDigest" and ProcessCommandLine has "UseLogonCredential" and 
  ProcessCommandLine has "dword" and ProcessCommandLine has "1"
  | project Timestamp, DeviceName, PreviousRegistryValueData,  
  RegistryKey, RegistryValueName, RegistryValueData, FileName, ProcessCommandLine, 
  InitiatingProcessAccountName, InitiatingProcessFileName, 
  InitiatingProcessCommandLine, InitiatingProcessParentFileName

Required Data Sources

Sentinel Table	Notes
`DeviceProcessEvents`	Ensure this data connector is enabled
`DeviceRegistryEvents`	Ensure this data connector is enabled

MITRE ATT&CK Context

Tactic: Credential Access
Tactic: Vulnerability

References

[Source Query](https://github.com/Azure/Azure-Sentinel/blob/main/Hunting Queries/Microsoft 365 Defender/Credential Access/wdigest-caching.yaml)

False Positive Guidance

Scenario: Scheduled Task Execution
Description: A legitimate scheduled task runs a script that uses runas or cmdkey to store credentials temporarily for accessing a remote resource.
Filter/Exclusion: Exclude processes associated with schtasks.exe or tasks with known names (e.g., DailyBackupTask).
Scenario: Administrative Tool Usage
Description: An admin uses PsExec or PSTools to remotely execute commands that may inadvertently trigger credential caching.
Filter/Exclusion: Exclude processes launched by PsExec or PSTools (e.g., psexec.exe, psexec.exe).
Scenario: Credential Management Tool
Description: A security tool like Microsoft Password Export Server (PES) or Microsoft Credential Manager is used to store or retrieve credentials.
Filter/Exclusion: Exclude processes related to CredentialManager.exe or PES.exe.
Scenario: Legacy Application Compatibility
Description: A legacy application or service (e.g., SQL Server, Exchange Server) is configured to use WDigest for backward compatibility.
Filter/Exclusion: Exclude processes associated with known legacy services (e.g., sqlservr.exe, msexch.exe).
Scenario: User-Initiated Remote Desktop Connection
Description: A user connects to a remote desktop using mstsc.exe and the credentials are cached via WDigest.
Filter/Exclusion: Exclude processes launched by mstsc.exe or user-initiated RDP sessions.