漏洞描述
Checks if LSA (Local Security Authority) protection is disabled or not configured.
windows-lsa-protection-not-enabled: LSA Protection Not Enabled or Not Configured
PoC代码[已公开]
id: windows-lsa-protection-not-enabled
info:
name: LSA Protection Not Enabled or Not Configured
author: princechaddha
severity: high
description: |
Checks if LSA (Local Security Authority) protection is disabled or not configured.
impact: |
Disabling or not configuring LSA protection can allow attackers to perform credential dumping.
remediation: |
Enable LSA protection to prevent malicious actors from dumping credentials from the system.
tags: windows,lsa,code,windows-audit
self-contained: true
code:
- pre-condition: |
IsWindows();
engine:
- powershell
- powershell.exe
args:
- -ExecutionPolicy
- Bypass
pattern: "*.ps1"
source: |
($null -eq (Get-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Lsa' -Name 'RunAsPPL' -ErrorAction SilentlyContinue).RunAsPPL) -or ((Get-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Lsa' -Name 'RunAsPPL' -ErrorAction SilentlyContinue).RunAsPPL -eq 0)
matchers:
- type: word
words:
- "True"
# digest: 4a0a00473045022100a1bb86f974ecfb5621a75cfff302e746fc588168bd5d7ddca8241c9feb86e05202204cd52ccd67dd536afdbe44a9c23fc3a3181526dbae24f134e57421da6b53c0d5:922c64590222798bb761d5b6d8e72950