Skip to main content

Credentials, tokens, or cookies from highly privileged users should not be exposed on vulnerable endpoints

Prerequisites

Assignments to Microsoft Entra will be analyzed by using the IdentityInfo in Microsoft Defender XDR. As documented in Microsoft Learn, the details of PrivilegedEntraPimRoles are only available for tenants with Microsoft Defender for Identity. Therefore, the checks are only available for tenants with onboarded MDI instance.

In addition, the table OAuthAppInfo will be used to get details about applications including unused permissions and permission scope / criticiality. This table is populated by app governance records from Microsoft Defender for Cloud Apps. You need to turn on app governance to use this check. To turn on app governance, follow the steps in Turn on app governance.

Description

Exposure Management identifies credentials that are exposed on endpoints by using various signals and telemetry. For example, user cookies are identified by Smart Analysis of Browser Artifacts. The analysis runs periodically using Microsoft Defender for Endpoint. Currently, user cookies, primary refresh tokens, and Azure CLI secrets are supported. These identified secrets are available in the ExposureGraphEdges table of Microsoft Defender XDR. This check filters for exposed artifacts on endpoints with a high machine risk score or high exposure score as determined by Defender for Endpoint.

In addition, only authentication artifacts from users with eligible or permanent Entra ID roles on the Control Plane and Management Plane (classified by the community project EntraOps), or any user with a criticality level lower than Tier 1 (defined in Critical Asset Management), will be in scope for this check.

Exfiltration of authentication artifacts on vulnerable device poses a significant security risk. Attackers who gain access to these credentials (e.g., by infostealer) can impersonate privileged users, bypass Conditional Access, and access sensitive the assigned sensitive roles. Protecting endpoints, especially used by privileged users, is essential to prevent unauthorized access and reduce attack surface.

How to fix

Review the details of risk and exposure score on the related device page from the Device Inventory in the Microsoft Defender XDR portal to improve the device's security posture.