MT.1089 - Devices with critical credentials should be protected by Credential Guard.
Overviewā
Devices shown in the output are devices where Credential Guard is not enabled or misconfigured, but contains credentials of critical accounts. When critical credentials are stored on devices without Credential Guard enabled, it is easy for adversaries to steal those credentials when the device is compromised. This is because, without Credential Guard enabled, Kerberos, NTLM, and Credential Manager secrets are stored in the Local Security Authority (LSA) process called lsass.exe, which can be dumped with various tools like MimiKatz. With Credential Guard enabled, these secrets are protected and isolated using Virtualization-based security (VBS).
How to fixā
Investigate the related devices and the steps that need to be taken in order to enable Credential Guard. This varies depending on operating system, hardware, and device. More information on how Credential Guard works and how it can be configured can be found in this documentation page.
Test Metadataā
| Field | Value |
|---|---|
| Test ID | MT.1089 |
| Severity | Medium |
| Suite | Maester |
| Category | XSPM |
| PowerShell test | Test-MtXspmCriticalCredentialsOnNonCredGuardProtectedDevices |
| Tags | Device, LongRunning, MT.1089, XSPM |
Sourceā
- Pester test:
tests/XSPM/Test-XspmDevices.Tests.ps1 - PowerShell source:
powershell/public/xspm/Test-MtXspmCriticalCredentialsOnNonCredGuardProtectedDevices.ps1