Shulou(Shulou.com)05/31 Report--

Today, I will talk to you about how to use direct system calls to open WDigest credential caching. Many people may not know much about it. In order to make you understand better, the editor has summarized the following for you. I hope you can get something according to this article.

WdToggle technology

WdToggle technology is essentially a proof of concept for Cobalt Strike Beacon Object File (BOF- Beacon object File), which can use direct system calls to turn on WDigest credential caching and try to bypass the credential daemon.

Using direct system calls through inline assemblies in BOF code provides a more secure way to interact with LSASS processes, and using direct system calls prevents AV/EDR software from intercepting user-mode API calls.

VisualStudio (C++) does not support inline assembly of x64 processors. Therefore, in order to write a single beacon object file (BOF) that contains compilation / assembly code, we must use the Mingw-w64 (GCC for Windows) compiler.

WdToggle library

In order to make it convenient for you to experiment with WdToggle technology, we provide a [GitHublibrary] for everyone to use.

The main functions of this library are as follows:

Demonstrates the use of direct system calls using inline assemblies to provide a more secure way to interact with LSASS processes.

Enable WDigest credential caching (wdigest.dll module) by switching the g_IsCredGuardEnabled variable to 1 in the LSASS process.

Bypass credential protection (if enabled) (wdigest.dll module) by switching the g_IsCredGuardEnabled variable to 0 during the LSASS process.

Use the beacon object file (BOF) to execute this code in the beacon (Beacon) process.

How to configure the experimental environment

Here, we are not going to provide you with the compiled source code, so you need to compile the code yourself.

First, we need to clone the WdToggle project source code locally using the following command:

Git clone https://github.com/outflanknl/WdToggle.git

Make sure you have installed the Mingw-w64 compiler correctly. If you are using macOS, we can install Mingw-w64 using the following command:

Sudo port install mingw-w64

Next, run the following command to compile the beacon object file (BOF):

Make

In a Cobaltstrike Beacon context, run the inline-execute command and provide the path to the object WdToggle.o file.

Then, run Cobaltstrike's logonpasswords command (Mimikatz), and don't forget to turn on the password cleanup option again for users who log in to new users or who have unlocked desktop sessions.

Restriction condition

This technique does not enable restart persistence, so we need to rerun the code after the device is rebooted.

The memory offsets of the wdigestSecretfParameterUseLogonCredential and wdigestdiagnogIsCredGuardEnabled global variables may vary depending on the version of the Windows operating system. You can use the Windows debugger tool to view and add your own offset for the corresponding system version:

C:\ Program Files (x86)\ Windows Kits\ 10\ Debuggers\ x64 > cdb.exe-z C:\ Windows\ System32\ wdigest.dll 0V1000 > x wdigestdetecgParameterUseLogonCredential00000001`800361b4 wdigestdetectg _ IsCredGuardEnabled000001`80035cwdigest08

To detect credential theft through LSASS memory access, we can use a tool such as Sysmon, and we can configure Sysmon to record the process of opening an lsass.exe file. After applying this configuration, we can collect telemetry information for suspicious processes accessing the LSASS process and help detect possible credential dump activity. Of course, we have more options to detect credential theft, such as using advanced detection platforms such as Windows Defender ATP. However, if you don't have enough budget and luxury equipment to use these platforms, then Sysmon is a free tool that can help fill the gap.

WdToggle running interface

After reading the above, do you have any further understanding of how to use direct system calls to open WDigest credential caching? If you want to know more knowledge or related content, please follow the industry information channel, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.