Credential Guard

Credential Guard is a virtualization-based isolation technology for LSASS which prevents attackers from stealing credentials that could be used for pass the hash attacks.^[1]^[2]^[3]^[4] Credential Guard was introduced with Microsoft's Windows 10 operating system.^[1] As of Windows 10 version 20H1, Credential Guard is only available in the Enterprise edition of the operating system.

Summary

After compromising a system, attackers often attempt to extract any stored credentials for further lateral movement through the network. A prime target is the LSASS process, which stores NTLM and Kerberos credentials. Credential Guard prevents attackers from dumping credentials stored in LSASS by running LSASS in a virtualized container that even a user with SYSTEM privileges cannot access.^[5] The system then creates a proxy process called LSAIso (LSA Isolated) for communication with the virtualized LSASS process.^[6]^[3]^[7]

Bypass techniques

There are several generic techniques for stealing credentials on systems with Credential Guard:

A keylogger running on the system will capture any typed passwords.^[8]^[3]
A user with administrator privileges can install a new Security Support Provider (SSP). The new SSP will not be able to access stored password hashes, but will be able to capture all passwords after the SSP is installed.^[8]^[9]
Extract stored credentials from another source, as is performed in the "Internal Monologue" attack (which uses SSPI to retrieve crackable NetNTLMv1 hashes). ^[10]

References

^ a b "Protect derived domain credentials with Windows Defender Credential Guard". Windows IT Pro Center. Retrieved 14 September 2018.
^ "Analysis of the attack surface of windows 10 virtualization-based security" (PDF). blackhat.com. Retrieved 13 November 2018.
^ a b c Yosifovich, Pavel; Russinovich, Mark (5 May 2017). Windows Internals, Part 1: System architecture, processes, threads, memory management, and more, Seventh Edition. Microsoft Press. ISBN 978-0-13-398647-1.
^ "Credential Guard Cheat Sheet". insights.adaptiva.com. Retrieved 13 November 2018.
^ "Deep Dive into Credential Guard, Credential Theft & Lateral Traversal". Microsoft Virtual Academy. Retrieved 17 September 2018.
^ "Windows 10 Device Guard and Credential Guard Demystified". Microsoft TechNet, Ash's blog. Retrieved 17 September 2018.
^ "Technique: Credential Dumping". attack.mitre.org. Retrieved 8 July 2019.
^ a b "Windows Credential Guard & Mimikatz". nviso labs. 2018-01-09. Retrieved 14 September 2018.
^ "Third party Security Support Providers with Credential Guard". Windows Dev Center. Retrieved 14 September 2018.
^ "Retrieving NTLM Hashes without touching LSASS: the "Internal Monologue" Attack". andreafortuna.org. Archived from the original on 26 May 2018. Retrieved 5 November 2018.

[Protect_derived_domain_credentials_with_Windows_Defender_Credential_Guard-1] "Protect derived domain credentials with Windows Defender Credential Guard". Windows IT Pro Center. Retrieved 14 September 2018.

[Analysis_of_the_attack_surface_of_windows_10_virtualization-based_security-2] "Analysis of the attack surface of windows 10 virtualization-based security" (PDF). blackhat.com. Retrieved 13 November 2018.

[Windows_Internal_7_-_Volume_1-3] Yosifovich, Pavel; Russinovich, Mark (5 May 2017). Windows Internals, Part 1: System architecture, processes, threads, memory management, and more, Seventh Edition. Microsoft Press. ISBN 978-0-13-398647-1.

[Credential_Guard_Cheat_Sheet-4] "Credential Guard Cheat Sheet". insights.adaptiva.com. Retrieved 13 November 2018.

[Deep_Dive_into_Credential_Guard,_Credential_Theft_&_Lateral_Traversal-5] "Deep Dive into Credential Guard, Credential Theft & Lateral Traversal". Microsoft Virtual Academy. Retrieved 17 September 2018.

[Windows_10_Device_Guard_and_Credential_Guard_Demystified-6] "Windows 10 Device Guard and Credential Guard Demystified". Microsoft TechNet, Ash's blog. Retrieved 17 September 2018.

[ATT&CK_Credential_Dumping-7] "Technique: Credential Dumping". attack.mitre.org. Retrieved 8 July 2019.

[Windows_Credential_Guard_&_Mimikatz-8] "Windows Credential Guard & Mimikatz". nviso labs. 2018-01-09. Retrieved 14 September 2018.

[Third_party_Security_Support_Providers_with_Credential_Guard-9] "Third party Security Support Providers with Credential Guard". Windows Dev Center. Retrieved 14 September 2018.

[Retrieving_NTLM_Hashes_without_touching_LSASS:_the_“Internal_Monologue”_Attack-10] "Retrieving NTLM Hashes without touching LSASS: the "Internal Monologue" Attack". andreafortuna.org. Archived from the original on 26 May 2018. Retrieved 5 November 2018.