Endpoint Standard: Why are Many Severity 10 Alerts with blocks seen related to attempts to modify a sensitive registry key?

Endpoint Standard: Why are Many Severity 10 Alerts with blocks seen related to attempts to modify a sensitive registry key?

Environment

  • Carbon Black Cloud Console: All Versions
  • Carbon Black Cloud Sensor: 3.6+

Question

  • Why are Severity 10 Alerts with Blocks seen showing "The application svchost.exe attempted to modify a sensitive registry key. A Deny action was applied."?

Answer

  • Group policy that enables WDigest credentials being stored in memory triggers this (changing the below registry key to a value of 1 vs 0 - This change forces wdigest to store creds in clear text)
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\WDigest
DWORD: UseLogonCredential
Value: 1

 

Additional Notes

  • Dynamic Rules Engine (DRE) Rule (Credential Theft Prevention Revision[18]) released End of Sept/Early Oct '21 providing further visibility/prevention for wdigest downgrade attacks

Was this article helpful? Yes No
No ratings
Article Information
Author:
Creation Date:
‎11-25-2021
Views:
293
Contributors