A recent Crowdstrike blog post talked about how attackers were targeting a specific industry. What caught my eye was how they ensured that they were able to steal the credentials in the firm: “Five minutes after gaining access to the host …, the adversary modified the registry to implement a widely known procedure that enables credentials to be stored in clear text within memory, facilitating credential theft:
reg add hklmsystemcurrentcontrolsetcontrolsecurityproviderswdigest /v UseLogonCredential /t REG_DWORD /d 1 /F”
Last year I wrote about how to prevent the use of WDigest credential theft. Clearly, not everyone has learned the lesson. Attackers use old attacks because they still work—and work well. What can you do to ensure that you aren’t this easy to attack?
