icon-itdr.svg
ITDR

Cleaning Up Exposed Endpoint Credentials

Watch a video on Endpoint Credential Exposure.

Exposed credentials on the endpoint are a critical source of risk. This enables adversaries to escalate privileges and access sensitive data and applications. Zscaler ITDR scans the endpoints and provides visibility into exposed endpoint credentials. You can investigate these credentials and, as a remediation action, clear or clean them up from the endpoints, thereby reducing the compromise phase attack surface available to an adversary.

Currently, ITDR supports credential cleanup for the following exposure or scan types only:

  • Saved Windows Credentials
  • Cached Domain Logon Credentials
  • AWS Credentials
  • Azure Credentials
  • Google Cloud Credentials
  • Database Connections
  • Saved VNC Passwords
  • Admin AutoLogon Settings

When you select an exposed credential for a cleanup, it's first queued for cleanup. The agent fetches the updated policy by checking the queue in the Zscaler ITDR Admin Portal and applies the cleanup process to the endpoints or AD identities that are selected. The Cleanup Status column tracks the state of the cleanup process.

To clean up exposed credentials from endpoints:

  1. Go to ITDR > Dashboard > Endpoint Credential Exposure.
  2. Select the All Exposures tab.

    The page lists all exposure or scan types.

  3. Double-click an exposure or scan type for which the cleanup feature is supported (e.g., AWS Credentials). The exposure or scan types that support credential cleanup have a checkmark in the Available to cleanup column. The rest of the exposure types that don't support this feature have an X mark.

    The exposed credentials are displayed.

  4. Select the credentials available for cleanup (the Cleanup Status column shows Can be cleaned), and click Cleanup Credentials.

  5. In the confirmation window, click OK.

    The selected credentials are queued for cleanup. If the cleanup process is successful, the credentials are cleared from the endpoints.

  6. Select Show Cleaned Credentials to view the list of credentials that were successfully cleaned up.

    If the cleanup process has failed, the Cleanup Status column shows Failed. You can see the reason for the failure.

Related Articles
About the Endpoint Credential Exposure DashboardDownloading Endpoint Credential Exposure Scan DataDownloading the Endpoint Credential Exposure Executive Summary ReportViewing Exposed Endpoint Credential Details by Scan TypeCleaning Up Exposed Endpoint CredentialsViewing the Exposed Endpoint Credential Risk Reduction RoadmapViewing the Exposed Endpoint Credential Detailed Findings and Recommendations DetailsViewing Exposed Endpoint Credential Issues Grouped by MITRE ATT&CK TechniquesViewing Privilege Escalation Attack Paths for Exposed Endpoint CredentialsViewing Identities with Exposed Endpoint Credentials