Detecting OS Credential Dumping done via WDigest – Security Spotlight

In this Security Spotlight, we’ll be talking about OS Credential Dumping done via WDigest and how to detect it within LogRhythm SIEM and LogRhythm Axon (MITRE ATT&CK® Technique T1003.001).

WDigest is a protocol used for HTTP Digest Authentication and Simple Authentication Security Layer (SASL) exchanges. SASL functions as a framework for authentication in Internet protocols, designed specifically to decouple authentication protocols from applications. This separation grants applications the flexibility to employ any authentication method supported by SASL, allowing for a variety of authentication methods to be used.

Upon a user’s login, WDigest generates a Digest Access Authentication. This process circumvents sending a password in plaintext over the network by utilizing a hash function that generates a unique “digest”. This digest is then used to authenticate the user without exposing the password. However, for WDigest to construct this digest, it needs to retain a copy of the plaintext password in memory. This is where the potential for its misuse comes into play.

Cyber attackers are always seeking ways in which they can gain unauthorized entry into systems and networks. One technique that allows them to do just that is credential dumping. This technique involves extracting user credentials from a system’s memory. WDigest, owing to its design, inadvertently facilitates this due to it storing plaintext passwords in its memory.

By using tools like Mimikatz, attackers can dump these credentials and use them to escalate their privileges or move laterally within a network. Moreover, they can maintain persistence by reusing valid credentials to access resources, even after all initial malware or backdoors have been removed...Read More!