Credential Guard

Credential Guard is a virtualization-based isolation technology for LSASS which prevents attackers from stealing credentials that could be used for pass the hash attacks.^[1][2][3][4] Credential Guard was introduced with Microsoft's Windows 10 operating system.^[1] As of Windows 10 version 20H1, Credential Guard is only available in the Enterprise edition of the operating system.

Summary

After compromising a system, attackers often attempt to extract any stored credentials for further lateral movement through the network. A prime target is the LSASS process, which stores NTLM and Kerberos credentials. Credential Guard prevents attackers from dumping credentials stored in LSASS by running LSASS in a virtualized container that even a user with SYSTEM privileges cannot access.^[5] The system then creates a proxy process called LSAIso (LSA Isolated) for communication with the virtualized LSASS process.^[6][3][7]

Bypass techniques

There are several generic techniques for stealing credentials on systems with Credential Guard:

• A keylogger running on the system will capture any typed passwords.^[8][3]
• A user with administrator privileges can install a new Security Support Provider (SSP). The new SSP will not be able to access stored password hashes, but will be able to capture all passwords after the SSP is installed.^[8][9]
• Extract stored credentials from another source, as is performed in the "Internal Monologue" attack (which uses SSPI to retrieve crackable NetNTLMv1 hashes). ^[10]