WdToggle is a Proof of Concept Cobalt Strike Beacon Object File which uses direct system calls to enable WDigest credential caching and circumvent Credential Guard (if enabled).
What is this repository for?
g_fParameter_UseLogonCredential
global parameter to 1 within the LSASS process (wdigest.dll module).g_IsCredGuardEnabled
variable to 0 within the LSASS process (wdigest.dll module).How do I set this up?
We will not supply compiled binaries. You will have to do this yourself:
sudo port install mingw-w64
).make
command to compile the Beacon object file.inline-execute
command and provide the path to the object WdToggle.o
file.logonpasswords
command (Mimikatz) and notice that clear text passwords are enabled again for new user logins or users who unlock their desktop session.Limitations
wdigest!g_fParameter_UseLogonCredential
and wdigest!g_IsCredGuardEnabled
global variable could change between Windows versions and revisions. We provided some offsets for different builds, but these can change in future releases. You can add your own version offsets which can be found using the Windows debugger tools.C:\Program Files (x86)\Windows Kits\10\Debuggers\x64>cdb.exe -z C:\Windows\System32\wdigest.dll
0:000>x wdigest!g_fParameter_UseLogonCredential
00000001`800361b4 wdigest!g_fParameter_UseLogonCredential = <no type information>
0:000> x wdigest!g_IsCredGuardEnabled
00000001`80035c08 wdigest!g_IsCredGuardEnabled = <no type information>
0:000>
Detection
To detect credential theft through LSASS memory access, we could use a tool like Sysmon. Sysmon can be configured to log processes opening a handle to the lsass.exe process. With this configuration applied, we can gather telemetry for suspicious processes accessing the LSASS process and help detecting possible credential dumping activity. Of course, there are more options to detect credential theft, for example using an advanced detection platform like Windows Defender ATP. But if you don’t have the budget and luxury of using these platforms, then Sysmon is that free tool that can help to fill up the gap.
Credits
Docker is a powerful open-source containerization platform that allows developers to build, test, and deploy…
Docker is one of the most widely used containerization platforms. But there may come a…
Introduction Google Dorking is a technique where advanced search operators are used to uncover information…
Introduction In cybersecurity and IT operations, logging fundamentals form the backbone of monitoring, forensics, and…
What is Networking? Networking brings together devices like computers, servers, routers, and switches so they…
Introduction In the world of Open Source Intelligence (OSINT), anonymity and operational security (OPSEC) are…