id: credential-guard-disabled

info:
  name: Credential Guard Not Enabled
  author: princechaddha
  severity: high
  description: Verifies if Windows Defender Credential Guard is disabled, reducing protection against credential theft.
  impact: |
    Disabling Credential Guard reduces protection against modern credential theft techniques.
  remediation: |
    Enable Credential Guard to enhance security against credential theft.
  tags: credential-guard,code,windows-audit

self-contained: true

code:
  - pre-condition: |
      IsWindows();
    engine:
      - powershell
      - powershell.exe
    args:
      - -ExecutionPolicy
      - Bypass
    pattern: "*.ps1"
    source: |
      Get-CimInstance -ClassName Win32_DeviceGuard -Namespace root\Microsoft\Windows\DeviceGuard

    matchers-condition: and
    matchers:
      - type: word
        words:
          - "AvailableSecurityProperties"

      - type: word
        words:
          - "Credential Guard"
        negative: true
# digest: 4a0a0047304502203261335cdf45385c7848f22615e426c459b8732ba8a186602fe7b71e232cf84302210081c1fcb69f908e7b29a0f6fb35e0aa71568f108c734ce0d4a1d844f8d3ee3ed1:922c64590222798bb761d5b6d8e72950