WDigest (Digest Authentication) is a challenge/response protocol that was primarily used in Windows Server 2003 for LDAP and web-based authentication. It utilizes Hypertext Transfer Protocol (HTTP) and Simple Authentication Security Layer (SASL) exchanges to authenticate.
It should be noted that up to Windows 8 and Windows Server 2012 storing credentials in WDigest was a default setting. This is no longer the case with Windows 10 and Windows Server 2016+. Additionally, it should be noted that WDigest credentials are cached in memory in cleartext.
It is easy to verify whether or not caching is enabled by querying the following registry key:
reg query HKLM\erSYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential
If identified, WDigest credentials can be retrieved with a tool such as Mimikatz:
sekurlsa::wdigest
It should be noted that even though storing credentials in WDigest is no longer a default setting, it is still something that can be manually configured by an attacker after obtaining access to a system by modifying the following registry value:
reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 1
Set-ItemProperty -Force -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest' -Name "UseLogonCredential" -Value '1'"
We would then be able to dump any users credentials who authenticate to the system with a tool like Mimikatz.
{% embed url="https://stealthbits.com/blog/wdigest-clear-text-passwords-stealing-more-than-a-hash/" %}
{% embed url="https://www.ired.team/offensive-security/credential-access-and-credential-dumping/forcing-wdigest-to-store-credentials-in-plaintext" %}