Credential Guard

After compromising a system, attackers often attempt to extract any stored credentials for further lateral movement through the network. A prime target is the LSASS process, which stores NTLM and Kerberos credentials. Credential Guard prevents attackers from dumping credentials stored in LSASS by running LSASS in a virtualized container that even a user with SYSTEM privileges cannot access. The system then creates a proxy process called LSAIso (LSA Isolated) for communication with the virtualized LSASS process.

There are several generic techniques for stealing credentials on systems with Credential Guard:

• A keylogger running on the system will capture any typed passwords.
• A user with administrator privileges can install a new Security Support Provider (SSP). The new SSP will not be able to access stored password hashes, but will be able to capture all passwords after the SSP is installed.
• Extract stored credentials from another source, as is performed in the "Internal Monologue" attack (which uses SSPI to retrieve crackable NetNTLMv1 hashes).

{{reflist|refs=

{{cite book |last1=Yosifovich |first1=Pavel |last2=Russinovich |first2=Mark |author-link2=Mark Russinovich |date=5 May 2017|title= Windows Internals, Part 1: System architecture, processes, threads, memory management, and more, Seventh Edition|publisher=Microsoft Press |isbn=978-0-13-398647-1}}

{{cite web |url=https://docs.microsoft.com/en-us/windows/security/identity-protection/credential-guard/credential-guard|title=Protect derived domain credentials with Windows Defender Credential Guard|website=Windows IT Pro Center|access-date=14 September 2018}}

{{cite web |url=https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=cfGBPlIyC_9404300474|title=Deep Dive into Credential Guard, Credential Theft & Lateral Traversal |website=Microsoft Virtual Academy|access-date=17 September 2018}}

{{cite web |url=https://blogs.technet.microsoft.com/ash/2016/03/02/windows-10-device-guard-and-credential-guard-demystified/|title=Windows 10 Device Guard and Credential Guard Demystified|website=Microsoft TechNet, Ash's blog|date=2 March 2016 |access-date=17 September 2018}}

{{cite web |url=https://blog.nviso.be/2018/01/09/windows-credential-guard-mimikatz/|title=Windows Credential Guard & Mimikatz|website=nviso labs|access-date=14 September 2018|date=2018-01-09}}

{{cite web |url=https://docs.microsoft.com/en-us/windows/desktop/w8cookbook/third-party-security-support-providers-with-credential-guard|title=Third party Security Support Providers with Credential Guard|website=Windows Dev Center|access-date=14 September 2018}}

{{cite web|url=https://www.andreafortuna.org/dfir/retrieving-ntlm-hashes-without-touching-lsass-the-internal-monologue-attack/|title=Retrieving NTLM Hashes without touching LSASS: the "Internal Monologue" Attack|website=andreafortuna.org|access-date=5 November 2018|archive-date=26 May 2018|archive-url=https://web.archive.org/web/20180526043315/https://www.andreafortuna.org/dfir/retrieving-ntlm-hashes-without-touching-lsass-the-internal-monologue-attack/|url-status=dead}}

{{cite web |url=https://www.blackhat.com/docs/us-16/materials/us-16-Wojtczuk-Analysis-Of-The-Attack-Surface-Of-Windows-10-Virtualization-Based-Security-wp.pdf|title=Analysis of the attack surface of windows 10 virtualization-based security|website=blackhat.com|access-date=13 November 2018}}

{{cite web |url=https://insights.adaptiva.com/2018/windows-10-credential-guard-security/|title=Credential Guard Cheat Sheet|website=insights.adaptiva.com|access-date=13 November 2018}}

{{cite web |url=https://attack.mitre.org/techniques/T1003/|title=Technique: Credential Dumping|website=attack.mitre.org|access-date=8 July 2019}}

}}

{{Windows Components}}

Category:Windows 10

Category:Microsoft Windows security technology