Credential Guard
Credential Guard is a virtualization-based isolation technology for LSASS which prevents attackers from stealing credentials that could be used for pass the hash attacks.[1][2][3][4] Credential Guard was introduced with Microsoft's Windows 10 operating system.[1] As of Windows 10 version 20H1, Credential Guard is only available in the Enterprise edition of the operating system.
Summary
After compromising a system, attackers often attempt to extract any stored credentials for further lateral movement through the network. A prime target is the LSASS process, which stores NTLM and Kerberos credentials. Credential Guard prevents attackers from dumping credentials stored in LSASS by running LSASS in a virtualized container that even a user with SYSTEM privileges cannot access.[5] The system then creates a proxy process called LSAIso (LSA Isolated) for communication with the virtualized LSASS process.[6][3][7]
Bypass techniques
There are several generic techniques for stealing credentials on systems with Credential Guard:
- A keylogger running on the system will capture any typed passwords.[8][3]
- A user with administrator privileges can install a new Security Support Provider (SSP). The new SSP will not be able to access stored password hashes, but will be able to capture all passwords after the SSP is installed.[8][9]
- Extract stored credentials from another source, as is performed in the "Internal Monologue" attack (which uses SSPI to retrieve crackable NetNTLMv1 hashes). [10]
References
- ^ a b "Protect derived domain credentials with Windows Defender Credential Guard". Windows IT Pro Center. Retrieved 14 September 2018.
- ^ "Analysis of the attack surface of windows 10 virtualization-based security" (PDF). blackhat.com. Retrieved 13 November 2018.
- ^ a b c Yosifovich, Pavel; Russinovich, Mark (5 May 2017). Windows Internals, Part 1: System architecture, processes, threads, memory management, and more, Seventh Edition. Microsoft Press. ISBN 978-0-13-398647-1.
- ^ "Credential Guard Cheat Sheet". insights.adaptiva.com. Retrieved 13 November 2018.
- ^ "Deep Dive into Credential Guard, Credential Theft & Lateral Traversal". Microsoft Virtual Academy. Retrieved 17 September 2018.
- ^ "Windows 10 Device Guard and Credential Guard Demystified". Microsoft TechNet, Ash's blog. Retrieved 17 September 2018.
- ^ "Technique: Credential Dumping". attack.mitre.org. Retrieved 8 July 2019.
- ^ a b "Windows Credential Guard & Mimikatz". nviso labs. 2018-01-09. Retrieved 14 September 2018.
- ^ "Third party Security Support Providers with Credential Guard". Windows Dev Center. Retrieved 14 September 2018.
- ^ "Retrieving NTLM Hashes without touching LSASS: the "Internal Monologue" Attack". andreafortuna.org. Archived from the original on 26 May 2018. Retrieved 5 November 2018.
- v
- t
- e
- APIs
- Architecture
- Booting process
- Games
tools
- App Installer
- Command Prompt
- Control Panel
- Device Manager
- Disk Cleanup
- Drive Optimizer
- Driver Verifier
- DirectX Diagnostic Tool
- Event Viewer
- IExpress
- Management Console
- Netsh
- Performance Monitor
- Recovery Console
- Resource Monitor
- Settings
- Sysprep
- System Configuration
- System File Checker
- System Information
- System Policy Editor
- System Restore
- Task Manager
- Windows Error Reporting
- Windows Ink
- Windows Installer
- PowerShell
- Windows Update
- WinRE
- WMI
- 3D Viewer
- Clock
- Calculator
- Calendar
- Camera
- Character Map
- Clipchamp
- Cortana
- Edge
- Fax and Scan
- Feedback Hub
- Get Help
- Magnifier
- Maps
- Messaging
- Media Player
- 2022
- Movies & TV
- Mobility Center
- Money
- Narrator
- Notepad
- OneDrive
- OneNote
- Paint
- Paint 3D
- People
- Phone Link
- Photos
- Quick Assist
- Remote Desktop Connection
- Snipping Tool
- Speech Recognition
- Skype
- Sports
- Start
- Sticky Notes
- Store
- Tips
- Voice Recorder
- Weather
- WordPad
- Xbox
- Active Directory
- Domains
- DNS
- Group Policy
- Roaming user profiles
- Folder redirection
- Distributed Transaction Coordinator
- MSMQ
- Windows Media Services
- Active DRM Services
- IIS
- WSUS
- SharePoint
- Network Access Protection
- PWS
- DFS Replication
- Print Services for UNIX
- Remote Desktop Services
- Remote Differential Compression
- Remote Installation Services
- Windows Deployment Services
- System Resource Manager
- Hyper-V
- Server Core
- Boot Manager
- Console
- CSRSS
- Desktop Window Manager
- Portable Executable
- Enhanced Write Filter
- Graphics Device Interface
- Hardware Abstraction Layer
- I/O request packet
- Imaging Format
- Kernel Transaction Manager
- Library files
- Logical Disk Manager
- LSASS
- MinWin
- NTLDR
- Ntoskrnl.exe
- Object Manager
- Open XML Paper Specification
- Registry
- Resource Protection
- Security Account Manager
- Server Message Block
- Shadow Copy
- SMSS
- System Idle Process
- USER
- WHEA
- Winlogon
- WinUSB
- Solitaire Collection
- Surf
Microsoft Store
- DVD Player
- File Manager
- Hover!
- Mahjong
- Minesweeper
- Category
- List