EXPLORE
Sign In
← Back to Explore
kqlHunting

Potential Credential Dumping

Check for wdigest registry key being set to store passwords in plain text

Detection Query

//Check for wdigest registry key being set to store passwords in plain text
let wdigestkey = DeviceRegistryEvents
| where ActionType == "RegistryValueSet"
| where RegistryKey endswith @"\Control\SecurityProviders\WDigest"
| where RegistryValueData == 1;
DeviceProcessEvents
| where TimeGenerated > ago(1hr)
| where FileName in ("reg.exe","regedit.exe","regedit32.exe")
//Check to see reg query is being used to look for password values
| where (ProcessCommandLine has_any("reg query",'"reg.exe" query', '"reg.exe"  query') and ProcessCommandLine has ("password"))
//Check if security account manager is being extracted from the registrys
or (ProcessCommandLine has "reg save" and ProcessCommandLine has_any (@"HKLM\sam",@"HKLM\system",@"HKEY_LOCAL_MACHINE\sam",@"HKEY_LOCAL_MACHINE\system"))
| union wdigestkey

Data Sources

DeviceProcessEventsDeviceRegistryEvents

Platforms

windows

Tags

defender
Raw Content
//Check for wdigest registry key being set to store passwords in plain text
let wdigestkey = DeviceRegistryEvents
| where ActionType == "RegistryValueSet"
| where RegistryKey endswith @"\Control\SecurityProviders\WDigest"
| where RegistryValueData == 1;
DeviceProcessEvents
| where TimeGenerated > ago(1hr)
| where FileName in ("reg.exe","regedit.exe","regedit32.exe")
//Check to see reg query is being used to look for password values
| where (ProcessCommandLine has_any("reg query",'"reg.exe" query', '"reg.exe"  query') and ProcessCommandLine has ("password"))
//Check if security account manager is being extracted from the registrys
or (ProcessCommandLine has "reg save" and ProcessCommandLine has_any (@"HKLM\sam",@"HKLM\system",@"HKEY_LOCAL_MACHINE\sam",@"HKEY_LOCAL_MACHINE\system"))
| union wdigestkey