Query Details
Potential Credential Dumping
Query
//Check for wdigest registry key being set to store passwords in plain text
let wdigestkey = DeviceRegistryEvents
| where ActionType == "RegistryValueSet"
| where RegistryKey endswith @"\Control\SecurityProviders\WDigest"
| where RegistryValueData == 1;
DeviceProcessEvents
| where TimeGenerated > ago(1hr)
| where FileName in ("reg.exe","regedit.exe","regedit32.exe")
//Check to see reg query is being used to look for password values
| where (ProcessCommandLine has_any("reg query",'"reg.exe" query', '"reg.exe" query') and ProcessCommandLine has ("password"))
//Check if security account manager is being extracted from the registrys
or (ProcessCommandLine has "reg save" and ProcessCommandLine has_any (@"HKLM\sam",@"HKLM\system",@"HKEY_LOCAL_MACHINE\sam",@"HKEY_LOCAL_MACHINE\system"))
| union wdigestkeyExplanation
This KQL (Kusto Query Language) query is designed to detect potentially suspicious activities related to registry modifications and password extraction on a device. Here's a simplified breakdown:
-
Wdigest Registry Key Check:
- The query first checks if the registry key related to WDigest (a security provider) is set to store passwords in plain text. This is done by looking for registry events where the value is set to
1.
- The query first checks if the registry key related to WDigest (a security provider) is set to store passwords in plain text. This is done by looking for registry events where the value is set to
-
Process Monitoring:
- It then monitors process events from the last hour to identify the use of certain registry-related tools (
reg.exe,regedit.exe,regedit32.exe).
- It then monitors process events from the last hour to identify the use of certain registry-related tools (
-
Password Query Detection:
- The query looks for command lines that involve querying the registry for password-related information using
reg query.
- The query looks for command lines that involve querying the registry for password-related information using
-
Security Account Manager (SAM) Extraction:
- It also checks if there are attempts to save the Security Account Manager (SAM) or system registry hives, which could indicate an attempt to extract sensitive security information.
-
Combining Results:
- Finally, it combines the results of the WDigest registry key check with the process monitoring results to provide a comprehensive view of potentially malicious activities related to registry manipulation and credential access.
Details
Jay Kerai
Released: November 11, 2024
Tables
DeviceRegistryEventsDeviceProcessEvents
Keywords
DeviceRegistryEventsProcessCommandLineSecurityAccountManager
Operators
let|==endswithin>agohas_anyhasorandunion