MT.1088 - Devices with critical credentials should be protected by TPM.
Overviewβ
Devices shown in the output are devices where a TPM (Trusted Platform Module) is not enabled, but contains credentials of critical accounts. When critical credentials are stored on devices without a TPM enabled, it is more easy for adversaries to steal those credentials when the device is compromised.
How to fixβ
Investigate the related devices and the steps that need to be taken in order to enable TPM support. This varies depending on operating system, hardware, and device. For more detailed results, you can manually run the following query in advanced hunting.
Test Metadataβ
| Field | Value |
|---|---|
| Test ID | MT.1088 |
| Severity | Medium |
| Suite | Maester |
| Category | XSPM |
| PowerShell test | Test-MtXspmCriticalCredentialsOnNonTpmProtectedDevices |
| Tags | Device, LongRunning, MT.1088, XSPM |
Sourceβ
- Pester test:
tests/XSPM/Test-XspmDevices.Tests.ps1 - PowerShell source:
powershell/public/xspm/Test-MtXspmCriticalCredentialsOnNonTpmProtectedDevices.ps1