WdToggle - A Beacon Object File (BOF) For Cobalt Strike Which Uses Direct System Calls To Enable WDigest Credential Caching

A Proof of Concept Cobalt Strike Beacon Object File which uses direct system calls to enable WDigest credential caching and circumvent Credential Guard if enabled. Additional guidance can be found in this blog post: https://outflank.nl/blog/?p=1592 Background This PoC code is based on the followi...

Microsoft Windows: MS Security Guide: WDigest Authentication

When WDigest authentication is enabled, Lsass.exe retains a copy of the user SPDX-FileCopyrightText: 2018 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

Domain penetration--Dump Clear-Text Password after KB2871997 installed-vulnerability warning-the black bar safety net

In penetration testing, the penetration tester will typically use mimikatz from the LSA of the memory to export system's plaintext password, while experienced administrators will often choose to install the patch kb2871997 to limit this behavior. This one relates to what are the interesting...

Windows Post Manage WDigest Credential Caching

On Windows 8/2012 or higher, the Digest Security Provider WDIGEST is disabled by default. This module enables/disables credential caching by adding/changing the value of the UseLogonCredential DWORD under the WDIGEST provider's Registry key. Any subsequent logins will allow mimikatz to recover th...