id: windows-credential-manager-plaintext-passwords-allowed

info:
  name: Credential Manager Allows Storing of Plain Text Passwords
  author: princechaddha
  severity: high
  description: Checks if the system allows storage of plain text passwords in Credential Manager.
  impact: |
    Storing plain text passwords can lead to credential theft if the system is compromised.
  remediation: |
    Configure Credential Manager to prevent the storage of plain text passwords.
  tags: windows,credentials,password,code,windows-audit

self-contained: true

code:
  - pre-condition: |
      IsWindows();
    engine:
      - powershell.exe
    args:
      - -ExecutionPolicy
      - Bypass
    pattern: "*.ps1"
    source: |
      if ((Get-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest' -Name 'UseLogonCredential' -ErrorAction SilentlyContinue).UseLogonCredential -eq 1)
        {
          Write-Output 'Credential Manager stores plain text passwords';
        }

    matchers:
      - type: word
        words:
          - "Credential Manager stores plain text passwords"
# digest: 490a0046304402201cdd6dcb1d4af45e017aa70b4db6f6949439c37960033d79f387b27088a46ce802205c5ef37b8d701f727d849cc66f822000f121e93f72c0aa99b77fe7a84c406297:922c64590222798bb761d5b6d8e72950