id: windows-stored-network-credentials-allowed

info:
  name: Credentials storage for Network Authentication allowed
  author: princechaddha
  severity: medium
  description: Checks if the system allows storage of credentials for network authentication.
  impact: |
    Storing credentials for network authentication can be exploited to compromise network security.
  remediation: |
    Disable the storage of network credentials to enhance security.
  tags: windows,credentials,code,windows-audit

self-contained: true

code:
  - pre-condition: |
      IsWindows();
    engine:
      - powershell
      - powershell.exe
    args:
      - -ExecutionPolicy
      - Bypass
    pattern: "*.ps1"
    source: |
      (Get-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Lsa').DisableDomainCreds

    matchers:
      - type: word
        words:
          - "0"
# digest: 4a0a00473045022044d88ab63cd8a9f02dbe9b581199e770cb8e35cc08f9a5affdedc60bcb6f8ee5022100ff207716082f3852867fbbde08d5f68a2651a9d57350f42ed31da6083fee61f9:922c64590222798bb761d5b6d8e72950