Environment
- Carbon Black Cloud Console: All Versions
- Carbon Black Cloud Sensor: 3.6+
Question
- Why are Severity 10 Alerts with Blocks seen showing "The application svchost.exe attempted to modify a sensitive registry key. A Deny action was applied."?
Answer
- Group policy that enables WDigest credentials being stored in memory triggers this (changing the below registry key to a value of 1 vs 0 - This change forces wdigest to store creds in clear text)
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\WDigest
DWORD: UseLogonCredential
Value: 1
Additional Notes
- Dynamic Rules Engine (DRE) Rule (Credential Theft Prevention Revision[18]) released End of Sept/Early Oct '21 providing further visibility/prevention for wdigest downgrade attacks