Query Exchange

Description: What does this query look for?

Looks for machines that have credential guard enabled (Windows)

What The Data Shows: What value does this provide, why would I want this information?

Ensuring Credential Guard is enabled protects machines against dumping NTML hashes, Kerberos Ticket Granting Tickets, and credentials stored by applications as domain credentials running attacks such as pass-the-hash.

SQL: 

Select * from processes
where name like "lsa%so.exe";

Hi  thank you for your contribution!  We'll vet this submission and if it runs as expected we'll change this status of your query from Under Review to CB Approved.

Thanks again!

 sorry for the delayed response, but we are all at BRP. Would you consider changing you query to find instances where Credential Guard is disabled? This method reduce the number of results and speed up analysis time. Thanks!

Hi Jnelson,

This finds all devices that do not have LsaIso.exe running which is the credential guard process. The process only shows up running when Credential Guard is enabled and running. Credential guard can be enabled but doesn't necessarily mean it's running. This confirms the process is running indicating that it's enabled and actually running and working.

 Thanks for the clarification! I misunderstood the purpose.

Would it not be more correct to use lsalso.exe in the query when using equal sign given the process name is lsalso.exe?

 Thanks!