id: windows-lsa-protection-not-enabled

info:
  name: LSA Protection Not Enabled or Not Configured
  author: princechaddha
  severity: high
  description: |
    Checks if LSA (Local Security Authority) protection is disabled or not configured.
  impact: |
    Disabling or not configuring LSA protection can allow attackers to perform credential dumping.
  remediation: |
    Enable LSA protection to prevent malicious actors from dumping credentials from the system.
  tags: windows,lsa,code,windows-audit

self-contained: true

code:
  - pre-condition: |
      IsWindows();
    engine:
      - powershell
      - powershell.exe
    args:
      - -ExecutionPolicy
      - Bypass
    pattern: "*.ps1"
    source: |
      ($null -eq (Get-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Lsa' -Name 'RunAsPPL' -ErrorAction SilentlyContinue).RunAsPPL) -or ((Get-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Lsa' -Name 'RunAsPPL' -ErrorAction SilentlyContinue).RunAsPPL -eq 0)

    matchers:
      - type: word
        words:
          - "True"
# digest: 4a0a00473045022100a1bb86f974ecfb5621a75cfff302e746fc588168bd5d7ddca8241c9feb86e05202204cd52ccd67dd536afdbe44a9c23fc3a3181526dbae24f134e57421da6b53c0d5:922c64590222798bb761d5b6d8e72950