Question

A penetration tester is running a phishing test and receives a shell from an internal computer that is running the Windows 10 operating system. The tester decides that he wants to use Mimikatz to perform credential harvesting. The tester wants to allow for credential caching. Which of the following registry changes would allow this?

A. reg add HKLM\System\ControlSet002\Control\SecurityProviders\WDigest /v userLogoCredential /t REG_DWORD /d 0
B. reg add HKCU\System\CurrentControlSet\Control\SecurityProviders\WDigest /v userLogoCredential /t REG_DWORD /d 1
C. reg add HKLM\Software\CurrentControlSet\Control\SecurityProviders\WDigest /v userLogoCredential /t REG_DWORD /d 1
D. reg add HKLM\System\CurrentControlSet\Control\SecurityProviders\WDigest /v userLogoCredential /t REG_DWORD /d 1

Answer 1

The correct registry change for enabling credential caching to use Mimikatz is to set the UseLogonCredential value to 1 in the WDigest key of the Windows registry.

Step-by-step explanation:

The correct registry change to enable credential caching using Mimikatz on a Windows 10 machine would be to enable WDigest credential caching. The appropriate command for doing this is:

reg add HKLM\System\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 1

However, the options provided in the question seem to have a typo, as the correct value name is 'UseLogonCredential' rather than 'userLogoCredential'. Despite the typo, the closest correct answer given the options would be:

reg add HKLM\System\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 1

This registry change allows the WDigest protocol to store plaintext passwords in memory, thus enabling tools like Mimikatz to extract them.