• Why are Severity 10 Alerts with Blocks seen showing "The application svchost.exe attempted to modify a sensitive registry key. A Deny action was applied."?

• Carbon Black Cloud Console: All Versions
• Carbon Black Cloud Sensor: 3.6+

• Group policy that enables WDigest credentials being stored in memory triggers this (changing the below registry key to a value of 1 vs 0 - This change forces wdigest to store creds in clear text)

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\WDigest
DWORD: UseLogonCredential
Value: 1

• Dynamic Rules Engine (DRE) Rule (Credential Theft Prevention Revision[18]) released End of Sept/Early Oct '21 providing further visibility/prevention for wdigest downgrade attacks