Security Connect 2021 is coming Jun 3. Register for free today!

Check if Credential Guard is enabled

Description: What does this query look for?

Looks for machines that have credential guard enabled (Windows)

What The Data Shows: What value does this provide, why would I want this information?

Ensuring Credential Guard is enabled protects machines against dumping NTML hashes, Kerberos Ticket Granting Tickets, and credentials stored by applications as domain credentials running attacks such as pass-the-hash.

SQL: 

Select * from processes 
where name like "lsa%so.exe";

 

Tags (1)
6 Comments
kbrawley
Community Manager
Community Manager

Hi @mjomha thank you for your contribution!  We'll vet this submission and if it runs as expected we'll change this status of your query from Under Review to CB Approved.

Thanks again!

jnelson
Carbon Black Employee
Status changed to: Under Review

@mjomha sorry for the delayed response, but we are all at BRP. Would you consider changing you query to find instances where Credential Guard is disabled? This method reduce the number of results and speed up analysis time. Thanks!

mjomha
Contributor

Hi Jnelson,

 

This finds all devices that do not have LsaIso.exe running which is the credential guard process. The process only shows up running when Credential Guard is enabled and running. Credential guard can be enabled but doesn't necessarily mean it's running. This confirms the process is running indicating that it's enabled and actually running and working.

jnelson
Carbon Black Employee
Status changed to: Approved

@mjomha Thanks for the clarification! I misunderstood the purpose.

lsulkowski
Carbon Black Employee

Would it not be more correct to use lsalso.exe in the query when using equal sign given the process name is lsalso.exe?

jnelson
Carbon Black Employee

@lsulkowski Thanks!