Empire WDigest Downgrade

Metadata

Author

Roberto Rodriguez @Cyb3rWard0g

Creation Date

2019/05/18

Modification Date

2020/09/20

Tactics

[‘TA0005’]

Techniques

[‘T1112’]

Tags

[‘Registry Modification’, ‘Windows Registry WDigest’]

Dataset Description

This dataset represents adversaries setting the UseLogonCredential property value from HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest key to 1 to enable plain text passwords.

Notebooks

Notebooks created by the community leveraging the mordor datasets

Author

Name

Link

Threat Hunter Playbook

WDigest Downgrade

https://threathunterplaybook.com/notebooks/windows/05_defense_evasion/WIN-190510202010.html

Simulation Plan

Environment

Tool Type

Module

Mordor shire

C2

wdigest_downgrade

Adversary View


Explore Mordor Dataset

Initialize Analytics Engine

from openhunt.mordorutils import *
spark = get_spark()

Download & Process Mordor File

mordor_file = "https://raw.githubusercontent.com/OTRF/mordor/master/datasets/small/windows/defense_evasion/host/empire_wdigest_downgrade.tar.gz"
registerMordorSQLTable(spark, mordor_file, "mordorTable")

Get to know your data

df = spark.sql(
'''
SELECT Hostname,Channel,EventID, Count(*) as count
FROM mordorTable
GROUP BY Hostname,Channel,EventID
ORDER BY count DESC
'''
)
df.show(truncate=False)