code/windows/audit/plaintext-passwords-in-memory.yaml

id: plaintext-passwords-in-memory

info:
  name: Plaintext Passwords Stored in Memory
  author: princechaddha
  severity: high
  description: Checks if passwords are stored in memory in plaintext, potentially exposing sensitive information to unauthorized memory access.
  impact: |
    Storing passwords in plaintext in memory can expose sensitive credentials to attackers who gain access to memory dumps or can read memory directly, leading to unauthorized access and data breaches.
  remediation: |
    Ensure that all sensitive data, especially passwords, are stored in memory in an encrypted or hashed format to mitigate the risk of exposure.
  tags: windows,security,credentials,windows-audit

self-contained: true

code:
  - pre-condition: |
      IsWindows();
    engine:
      - powershell
      - powershell.exe
    args:
      - -ExecutionPolicy
      - Bypass
    pattern: "*.ps1"
    source: |
      if ((Get-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest' -Name 'UseLogonCredential' -ErrorAction SilentlyContinue).UseLogonCredential -eq 1) { "Plaintext passwords are stored in memory." }

    matchers:
      - type: word
        words:
          - "Plaintext passwords are stored in memory."
# digest: 4b0a0048304602210096f5a69a7eb5f990f7b6990997bbe801df7482b8883d6e9153360b9ed49d8df80221008946a1d10b3516bfdfd8925376bbbf0a091ac7236f0d6e223bbf5b3de884ed8a:922c64590222798bb761d5b6d8e72950
fixed plain-text and RDP template 2024-10-24 11:30:13 +07:00			`id: plaintext-passwords-in-memory`
Windows Security Hardening and Auditing Checks 2024-10-24 11:17:52 +07:00
			`info:`
fixed plain-text and RDP template 2024-10-24 11:30:13 +07:00			`name: Plaintext Passwords Stored in Memory`
Windows Security Hardening and Auditing Checks 2024-10-24 11:17:52 +07:00			`author: princechaddha`
			`severity: high`
fixed plain-text and RDP template 2024-10-24 11:30:13 +07:00			`description: Checks if passwords are stored in memory in plaintext, potentially exposing sensitive information to unauthorized memory access.`
Windows Security Hardening and Auditing Checks 2024-10-24 11:17:52 +07:00			`impact: \|`
fixed plain-text and RDP template 2024-10-24 11:30:13 +07:00			`Storing passwords in plaintext in memory can expose sensitive credentials to attackers who gain access to memory dumps or can read memory directly, leading to unauthorized access and data breaches.`
Windows Security Hardening and Auditing Checks 2024-10-24 11:17:52 +07:00			`remediation: \|`
fixed plain-text and RDP template 2024-10-24 11:30:13 +07:00			`Ensure that all sensitive data, especially passwords, are stored in memory in an encrypted or hashed format to mitigate the risk of exposure.`
Revert "chore: update TemplateMan 🤖" This reverts commit c31d574176f2b9e6f8d4fe573a24e7192f808e84. 2025-05-27 10:39:47 +08:00			`tags: windows,security,credentials,windows-audit`
Windows Security Hardening and Auditing Checks 2024-10-24 11:17:52 +07:00
			`self-contained: true`

			`code:`
			`- pre-condition: \|`
			`IsWindows();`
			`engine:`
			`- powershell`
			`- powershell.exe`
			`args:`
			`- -ExecutionPolicy`
			`- Bypass`
			`pattern: "*.ps1"`
			`source: \|`
fixed plain-text and RDP template 2024-10-24 11:30:13 +07:00			`if ((Get-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest' -Name 'UseLogonCredential' -ErrorAction SilentlyContinue).UseLogonCredential -eq 1) { "Plaintext passwords are stored in memory." }`
Windows Security Hardening and Auditing Checks 2024-10-24 11:17:52 +07:00
			`matchers:`
			`- type: word`
			`words:`
chore: sign templates 🤖 2024-11-27 08:16:07 +00:00			`- "Plaintext passwords are stored in memory."`
chore: sign templates 🤖 2024-12-02 11:38:21 +00:00			`# digest: 4b0a0048304602210096f5a69a7eb5f990f7b6990997bbe801df7482b8883d6e9153360b9ed49d8df80221008946a1d10b3516bfdfd8925376bbbf0a091ac7236f0d6e223bbf5b3de884ed8a:922c64590222798bb761d5b6d8e72950`