MT.1080 - Credentials, tokens, or cookies from highly privileged users should not be exposed on vulnerable endpoints
Overviewβ
Exfiltration of authentication artifacts on vulnerable device poses a significant security risk. Attackers who gain access to these credentials (e.g., by infostealer) can impersonate privileged users, bypass Conditional Access, and access sensitive the assigned sensitive roles. Protecting endpoints, especially used by privileged users, is essential to prevent unauthorized access and reduce attack surface.
How to fixβ
Review the details of risk and exposure score on the related device page from the Device Inventory in the Microsoft Defender XDR portal to improve the device's security posture.
Test Metadataβ
| Field | Value |
|---|---|
| Test ID | MT.1080 |
| Severity | Medium |
| Suite | Maester |
| Category | Privileged |
| PowerShell test | Test-MtXspmExposedCredentialsForPrivilegedUsers |
| Tags | Entra, EntraOps, Graph, LongRunning, MT.1080, Privileged, XSPM |
Sourceβ
- Pester test:
tests/XSPM/Test-XspmPrivilegedIdentities.Tests.ps1 - PowerShell source:
powershell/public/xspm/Test-MtXspmExposedCredentialsForPrivilegedUsers.ps1