Query Exchange

mjomha · ‎06-14-2019

Description: What does this query look for?

Looks for machines that have credential guard enabled (Windows)

What The Data Shows: What value does this provide, why would I want this information?

Ensuring Credential Guard is enabled protects machines against dumping NTML hashes, Kerberos Ticket Granting Tickets, and credentials stored by applications as domain credentials running attacks such as pass-the-hash.

SQL:

Select * from processes 
where name like "lsa%so.exe";

kbrawley · ‎06-14-2019

Hi @mjomha thank you for your contribution! We'll vet this submission and if it runs as expected we'll change this status of your query from Under Review to CB Approved.

Thanks again!

jnelson · ‎06-19-2019

@mjomha sorry for the delayed response, but we are all at BRP. Would you consider changing you query to find instances where Credential Guard is disabled? This method reduce the number of results and speed up analysis time. Thanks!

mjomha · ‎06-19-2019

Hi Jnelson,

This finds all devices that do not have LsaIso.exe running which is the credential guard process. The process only shows up running when Credential Guard is enabled and running. Credential guard can be enabled but doesn't necessarily mean it's running. This confirms the process is running indicating that it's enabled and actually running and working.

jnelson · ‎06-20-2019

@mjomha Thanks for the clarification! I misunderstood the purpose.

lsulkowski · ‎12-03-2019

Would it not be more correct to use lsalso.exe in the query when using equal sign given the process name is lsalso.exe?

jnelson · ‎12-05-2019

@lsulkowski Thanks!

Query Exchange

Check if Credential Guard is enabled