Built off the open source project Osquery
Description: What does this query look for?
Looks for machines that have credential guard enabled (Windows)
What The Data Shows: What value does this provide, why would I want this information?
Ensuring Credential Guard is enabled protects machines against dumping NTML hashes, Kerberos Ticket Granting Tickets, and credentials stored by applications as domain credentials running attacks such as pass-the-hash.
SQL:
Select * from processes
where name like "lsa%so.exe";
Copyright © 2005-2023 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.