Closed Captioning Closed captioning available on our YouTube channel

How to monitor Windows to prevent credential theft attacks

CSO Online | Sep 18, 2019

Attackers are now enabling WDigest credential caching to allow them to harvest credentials. Here’s how to spot it.

Copyright © 2019 IDG Communications, Inc.

Hello again. This is Susan Bradley for CSO Online. Today we're going to talk about credential harvesting. And what got me on this topic again was a posting on the Microsoft defender security center. That reminded me that credential harvesting occurs in lots of ways. One particular way is through something called W digest. That we digest credential harvesting is something that's been around for a long time. But it's something you may want to revisit as a result of a somewhat recent security threat. Last year there was a malicious program called Trickbot. And it had an unusual part that included a screenlocker module. The screen locker module was specifically designed to capture and harvest credentials. What was unique and how it actually went back and enabled that w digest support. So if you had a disabled or if you had it not set at all, it would actually go through your systems and enabled w digest support. The screen locker module would then kick in making the user re log in. That process of re logging in capture the credentials they could then harvest that credentials inside of LSA memory and then off they went to the races. So their intention in this circumstance was not for ransom rather, they wanted your username and password. And back in March of this year I actually wrote an article talking about W digest and how it was a security patch that needed additional registry keys. And if you kind of snoozed a little bit and forgot about it and realize that you didn't need it on Windows 8.1 and higher you might not think you would need to care about it. But BLEEPING COMPUTER article reminded us that even if you don't have W digest enabled. The attackers can actually go back and re enable it and capture that information.
So what's a person to do. So what you want to do is proactively set that register key even on higher versions.
And then you want to monitor those registry keys and make sure that they're not tampered with. So look for the key local machine system current controls set. Control security providers w digests and actually set that. Use log on credential. You can do it through group policy. You can do it through a script. And then go back and query and make sure it's set properly. Even in later versions of 8.1 and 2012 R2 and later Windows 10 all of those newer ones. You don't need the registry key in place but proactively putting it there means that the attackers can't come back and set it again. So take a quick query of all your endpoints and check to see that that w digest setting is set to what you want it to be not what the attackers want it to be. Until next time This is Susan Bradley for CSOonline. See you at tech talk from IDG on YouTube channel.
Featured videos from