๐ย Secure Bits ๐ก
๐ฃ๐น๐ฎ๐ถ๐ป๐๐ฒ๐
๐ ๐ฃ๐ฎ๐๐๐๐ผ๐ฟ๐ฑ๐ ๐ถ๐ป ๐ช๐ถ๐ป๐ฑ๐ผ๐๐ ๐ญ๐ญ? ๐ฆ๐๐ถ๐น๐น ๐ฝ๐ผ๐๐๐ถ๐ฏ๐น๐ฒ.
Modern Windows versions like Windows 11 and Windows Server 2025 are ๐ณ๐ฎ๐ฟ ๐บ๐ผ๐ฟ๐ฒ ๐๐ฒ๐ฐ๐๐ฟ๐ฒ ๐ฏ๐ ๐ฑ๐ฒ๐ณ๐ฎ๐๐น๐. But ๐น๐ฒ๐ด๐ฎ๐ฐ๐ ๐ฐ๐ผ๐บ๐ฝ๐ผ๐ป๐ฒ๐ป๐๐ ๐ฐ๐ฎ๐ป ๐๐๐ถ๐น๐น ๐ถ๐ป๐๐ฟ๐ผ๐ฑ๐๐ฐ๐ฒ ๐๐๐ฟ๐ฝ๐ฟ๐ถ๐๐ถ๐ป๐ด ๐ฟ๐ถ๐๐ธ๐ โ if you’re not careful.
๐ข๐ป๐ฒ ๐ฒ๐
๐ฎ๐บ๐ฝ๐น๐ฒ: ๐ช๐๐ถ๐ด๐ฒ๐๐ ๐ฎ๐๐๐ต๐ฒ๐ป๐๐ถ๐ฐ๐ฎ๐๐ถ๐ผ๐ป.
Disabled by default for years โ but with one registry tweak, you canย re-enable it, and Windows will startย caching plaintext credentialsย again.
๐ ๐ฅ๐ฒ๐ด๐ถ๐๐๐ฟ๐ ๐ฝ๐ฎ๐๐ต:
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest\UseLogonCredential=1
๐ก๐ผ ๐ฟ๐ฒ๐ฏ๐ผ๐ผ๐ ๐ป๐ฒ๐ฒ๐ฑ๐ฒ๐ฑ โ just a logon, and the password is in memory.
๐ ๐ช๐ต๐ ๐๐ผ๐๐น๐ฑ ๐๐ต๐ถ๐ ๐บ๐ฎ๐๐๐ฒ๐ฟ?
For attackers,ย plaintext creds open more doorsย than hashes โ and this is a known technique used to bypass otherwise modern protections.
โ ๏ธย ๐๐ฆ๐๐ฆ๐ฆ ๐ฝ๐ฟ๐ผ๐๐ฒ๐ฐ๐๐ถ๐ผ๐ป ๐ถ๐ ๐ด๐ผ๐ผ๐ฑ, ๐ฏ๐๐ ๐ป๐ผ๐ ๐ฝ๐ฒ๐ฟ๐ณ๐ฒ๐ฐ๐:
โ
Windows 11 protects LSASS by default
โ Butย Credential Guard requires Enterprise editionย โ and ๐บ๐ฎ๐ป๐ ๐ผ๐ฟ๐ด๐ ๐๐๐ถ๐น๐น ๐ฟ๐๐ป ๐ฃ๐ฟ๐ผ
โ
ย Protected Users groupย is free and effective โ and often underused. It blocks several forms of credential caching, including WDigest.
๐ If you’re not using Protected Users for your privileged accounts โ you’re leaving them exposed.
I am not even mentioning ๐๐ต๐ฒ ๐บ๐ฒ๐บ๐ผ๐ฟ๐ ๐ผ๐ณ ๐ ๐ฆ๐ง๐ฆ๐ ๐ฝ๐ฟ๐ผ๐ฐ๐ฒ๐๐, which I discuss in another post….
๐ฌ How areย youย defending against credential theft in your org?
