Security Monitoring: Wdigest passwords stored in clear text - SecurityMonitoringMP.WDigestRegConfiguredMonitor (UnitMonitor)

SecurityMonitoringMP.WDigestRegConfiguredMonitor (UnitMonitor)

Element properties:

Target

Microsoft.Windows.Server.OperatingSystem

Parent Monitor

System.Health.SecurityState

Category

Custom

Enabled

True

Alert Generate

True

Alert Severity

Error

Alert Priority

Normal

Alert Auto Resolve

True

Monitor Type

SecurityMonitoringMP.RegValueMonitorType

Remotable

True

Accessibility

Internal

Alert Message

Security Monitoring: Wdigest registry key has been set to the wrong value

This key is known to be set by attackers to force LSass to store Wdigest passwords in plain text. By setting this key to a value of 1, the attacker can mine a Wdigest password in clear text.

See https://blogs.technet.microsoft.com/kfalde/2014/11/01/kb2871997-and-wdigest-part-1/ for details.

RunAs

Default

Source Code:

<UnitMonitor ID="SecurityMonitoringMP.WDigestRegConfiguredMonitor" Accessibility="Internal" Enabled="true" Target="Windows!Microsoft.Windows.Server.OperatingSystem" ParentMonitorID="Health!System.Health.SecurityState" Remotable="true" Priority="Normal" TypeID="SecurityMonitoringMP.RegValueMonitorType" ConfirmDelivery="true"> <Category>Custom</Category> <AlertSettings AlertMessage="SecurityMonitoringMP.WDigestRegConfiguredMonitor_AlertMessageResourceID"> <AlertOnState>Error</AlertOnState> <AutoResolve>true</AutoResolve> <AlertPriority>Normal</AlertPriority> <AlertSeverity>Error</AlertSeverity> <AlertParameters/> </AlertSettings> <OperationalStates> <OperationalState ID="UseLogonCredentialValueGood" MonitorTypeStateID="RegValueGood" HealthState="Success"/> <OperationalState ID="UseLogonCredentialValueBad" MonitorTypeStateID="RegValueBad" HealthState="Error"/> </OperationalStates> <Configuration/> </UnitMonitor>