KQL Search

Query Details

HomeAI ToolsDevice Query

Endpoint W Digest Credential Access

Query

name : Credential Access - WDigest credential harvesting
description : 
- Case1 - Find attempts to turn on WDigest credential caching
- Case2 - Find processes created with commandlines that attempt to turn on WDigest caching
reference : 
- Threat analytics | WDigest credential harvesting
- https://learn.microsoft.com/en-us/microsoft-365/security/defender/threat-analytics?view=o365-worldwide
table : 
- DeviceRegistryEvents
- https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-deviceregistryevents-table?view=o365-worldwide
- DeviceProcessEvents
- https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-deviceprocessevents-table?view=o365-worldwide
query : |
    //Case1 - Find attempts to turn on WDigest credential caching
    DeviceRegistryEvents
    | where Timestamp  > ago(7d)
    | where RegistryKey contains "wdigest" and RegistryValueName == "UseLogonCredential" and RegistryValueData == "1" or 
    | project Timestamp, DeviceId, DeviceName, PreviousRegistryValueData, RegistryKey, RegistryValueName, RegistryValueData, InitiatingProcessAccountName, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessParentFileName


    //Case2 - Find processes created with commandlines that attempt to turn on WDigest caching
    DeviceProcessEvents
    | where Timestamp  > ago(7d)
    | where ProcessCommandLine has "WDigest" and ProcessCommandLine has "UseLogonCredential" and ProcessCommandLine has "dword" and ProcessCommandLine has "1"
    | project Timestamp, DeviceId, DeviceName, InitiatingProcessAccountName, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessParentFileName, FileName, ProcessCommandLine

Explanation

This query is used to find instances of WDigest credential harvesting.

Case 1: It looks for attempts to turn on WDigest credential caching by checking the DeviceRegistryEvents table for entries where the registry key contains "wdigest", the registry value name is "UseLogonCredential", and the registry value data is "1". It also retrieves additional information such as the timestamp, device ID, device name, previous registry value data, registry key, initiating process account name, initiating process file name, initiating process command line, and initiating process parent file name.

Case 2: It looks for processes created with command lines that attempt to turn on WDigest caching by checking the DeviceProcessEvents table for entries where the process command line contains "WDigest", "UseLogonCredential", "dword", and "1". It retrieves information such as the timestamp, device ID, device name, initiating process account name, initiating process file name, initiating process command line, initiating process parent file name, file name, and process command line.

Details

Kijo Girardi profile picture

Kijo Girardi

Released: March 3, 2023

Tables

DeviceRegistryEventsDeviceProcessEvents

Keywords

DeviceRegistryEvents,DeviceProcessEvents

Operators

toscalar()arg_max()count()mv-expand

Actions