id: plaintext-passwords-in-memory

info:
  name: Plaintext Passwords Stored in Memory
  author: princechaddha
  severity: high
  description: Checks if passwords are stored in memory in plaintext, potentially exposing sensitive information to unauthorized memory access.
  impact: |
    Storing passwords in plaintext in memory can expose sensitive credentials to attackers who gain access to memory dumps or can read memory directly, leading to unauthorized access and data breaches.
  remediation: |
    Ensure that all sensitive data, especially passwords, are stored in memory in an encrypted or hashed format to mitigate the risk of exposure.
  tags: windows,security,credentials,windows-audit

self-contained: true

code:
  - pre-condition: |
      IsWindows();
    engine:
      - powershell
      - powershell.exe
    args:
      - -ExecutionPolicy
      - Bypass
    pattern: "*.ps1"
    source: |
      if ((Get-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest' -Name 'UseLogonCredential' -ErrorAction SilentlyContinue).UseLogonCredential -eq 1) { "Plaintext passwords are stored in memory." }

    matchers:
      - type: word
        words:
          - "Plaintext passwords are stored in memory."
# digest: 4b0a0048304602210096f5a69a7eb5f990f7b6990997bbe801df7482b8883d6e9153360b9ed49d8df80221008946a1d10b3516bfdfd8925376bbbf0a091ac7236f0d6e223bbf5b3de884ed8a:922c64590222798bb761d5b6d8e72950