CompTIA PenTest+ (PT0-001) — Question 186

During a penetration test, a tester runs a phishing campaign and receives a shell from an internal PC running Windows 10 OS. The tester wants to perform credential harvesting with Mimikatz.
Which of the following registry changes would allow for credential caching in memory?

Answer options

• A. reg add HKLM\System\ControlSet002\Control\SecurityProviders\WDigest /v userLogoCredential /t REG_DWORD /d 0
• B. reg add HKCU\System\CurrentControlSet\Control\SecurityProviders\WDigest /v userLogoCredential /t REG_DWORD /d 1
• C. reg add HKLM\Software\CurrentControlSet\Control\SecurityProviders\WDigest /v userLogoCredential /t REG_DWORD /d 1
• D. reg add HKLM\System\CurrentControlSet\Control\SecurityProviders\WDigest /v userLogoCredential /t REG_DWORD /d 1

Correct answer: A

Explanation

The correct answer is A, as setting the userLogoCredential value to 0 in the specified registry path disables the credential caching mechanism, allowing Mimikatz to harvest credentials. Options B, C, and D either enable caching or reference incorrect registry paths, which would not achieve the desired outcome of credential harvesting.