Query Details
RULE 13 AD W Digest Reenabled
Query
// =========================================================
// RULE-13 | AD-WDigest-Reenabled
// Description : WDigest credential provider re-enabled —
// Event 4657 (Registry Value Modified) setting
// HKLM\SYSTEM\CurrentControlSet\Control\
// SecurityProviders\WDigest\UseLogonCredential
// to 1 (enabled).
// When UseLogonCredential = 1 Windows stores
// the user's plaintext password in LSASS memory
// instead of only the NT hash. This is a
// deliberate attacker preparation step before
// credential dumping.
// Severity : High (any host) → Critical (on a DC or Tier-0)
// Frequency : Every 15 minutes, look-back 15 minutes
// MITRE : T1556.002 — Modify Authentication Process:
// Password Filter DLL
// (most closely maps to T1112 — Modify Registry)
// Tables : SecurityEvent
// =========================================================
let LookBack = 15m;
// Known DCs (lightweight — 3-day TGT window)
let KnownDCNames = SecurityEvent
| where TimeGenerated > ago(3d)
| where EventID == 4768
| summarize by DC = toupper(Computer);
SecurityEvent
| where TimeGenerated > ago(LookBack)
| where EventID == 4657 // Registry Value Modified
| where ObjectName has @"WDigest"
and ObjectValueName =~ "UseLogonCredential"
// New value = 1 means WDigest enabled
| where NewValue == "1" or NewValue == "0x00000001"
| extend
ActorAccount = strcat(SubjectDomainName, "\\", SubjectUserName),
RegPath = ObjectName,
PreviousValue = OldValue,
NewRegValue = NewValue,
IsOnDC = (toupper(Computer) in~ (KnownDCNames))
| extend
Severity = case(IsOnDC, "Critical", "High"),
WhySuspicious = strcat(
"WDigest_Enabled_UseLogonCredential=1; ",
iff(IsOnDC, "On_DC_Critical_Impact; ", "Workstation_or_Server; "),
"Actor: ", SubjectUserName, "; ",
"RegPath: ", RegPath
)
| project
TimeGenerated,
Severity,
WhySuspicious,
ActorAccount,
Computer,
RegPath,
PreviousValue,
NewRegValue,
IsOnDC,
SubjectUserName,
SubjectDomainName
| order by TimeGenerated desc
Explanation
This query is designed to detect when the WDigest credential provider is re-enabled on a Windows system, which is a potential security risk. Here's a simplified explanation of what the query does:
-
Purpose: The query checks for changes in the Windows Registry that indicate the WDigest credential provider has been re-enabled. This is significant because when WDigest is enabled, Windows stores user passwords in plaintext in memory, making it easier for attackers to steal credentials.
-
Severity: The severity of this event is classified as "High" for any host, but it is elevated to "Critical" if it occurs on a Domain Controller (DC) or a Tier-0 system, which are more sensitive targets.
-
Frequency: The query runs every 15 minutes and looks back over the past 15 minutes to detect any changes.
-
Detection Logic:
- It looks for Event ID 4657, which indicates a registry value modification.
- Specifically, it checks if the registry path
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest\UseLogonCredentialis set to "1", meaning WDigest is enabled. - It identifies if the change occurred on a known Domain Controller by comparing the computer name against a list of known DCs.
-
Output:
- The query outputs details such as the time of the event, severity, why the event is suspicious, the account that made the change, the computer name, the registry path, the previous and new values of the registry setting, and whether the change was made on a Domain Controller.
- The results are sorted by the time the event was generated, showing the most recent events first.
This query helps security teams quickly identify and respond to potential credential theft risks by monitoring for specific registry changes related to WDigest.
Details
David Alonso
Released: March 24, 2026
Tables
Keywords
Operators