Windows 10: LSASS.DMP still have my credential after enabling Credential Guard

PraveshJanartha · Mar 12, 2021

Hi,

I might sound noob but want to clarify something regarding Credential Guard.

Scenario:

I have a domain joined system for a year now and recently I enabled Credential Guard to test and play around with it. Output below shows that CredGuard is enabled:

PS C:\temp> .\DG_Readiness_Tool.ps1 -Ready

###########################################################################

Readiness Tool Version 3.7.2 Release.

Tool to check if your device is capable to run Device Guard and Credential Guard.

###########################################################################

###########################################################################

OS and Hardware requirements for enabling Device Guard and Credential Guard

1. OS SKUs: Available only on these OS Skus - Enterprise, Server, Education and Enterprise IoT

2. Hardware: Recent hardware that supports virtualization extension with SLAT

To learn more please visit: https://aka.ms/dgwhcr

###########################################################################

Credential-Guard is enabled and running.

HVCI is enabled and running.

Config-CI is enabled and running. Enforced mode

HVCI, Credential Guard, and Config CI are enabled and running.

Question:

After enabling CredGuard, I dumped lsass.exe process and run it through Mimikatz to see what information it captures and it was still showing NTLM hash and clear text password. So what is the problem here? Why it is not preventing system from storing passwords in memory?

:)

Brink · Mar 12, 2021

Credential Guard lab companion

If you have heard about Credential Guard in Windows Server 2016 (and in Windows 10), but do not have an environment to try it out, here is a lab environment we built for you to play.

Lab access

The link will lead you to a sign up page, after that, you will see the following labs listed for Windows Server 2016:

Windows Server 2016 labs

There are 3 exercises in the “Implementing Breach Resistance Security in Windows Server 2016”:

Credential Guard

Remote Credential Guard

Device Guard

This blogpost will walk you through the Credential Guard lab details.

After click on the link of Breach Resistance lab, you be required to sign in and then you can launch the lab:

Sign-in

Launch page

It takes a few minutes to create the VMs, and once it has done, you will see the following machines prepared:

Initialize

DC: domain controller, which is not used for this exercise.

SRV01 and SRV02: both are Windows Server 2016, and used for the lab exercise.

Lab exercise – Explained

The steps are listed in the Content section:

Content

This lab is structured to cover the following in sequence:

Understand how attackers can use the hash in memory to gain access to domain controllers

Configure Credential Guard

Verify the hash in memory is protected using Credential Guard

You can follow the steps listed under the content section to complete the lab, the intent of the blog, is to break the procedures into groups, to help you understand the exercise better.

Prep the hash

Lsass.exe is the process which handles user logon, it stores the user credential information in its memory. The memory is cleared when the machine starts up. In this lab environment, all the virtual machines start at the time lab launches, when you logon to the machine, you will only have the logon user credential information in memory. In order to demonstrate an attacker gaining user access using other account’s hash, the first part of the lab is to simulate a server which has been running for a while, different users had remotely or locally connected to it, therefore, lsass memory stored many different user credential information.
This is accomplished by step 1-8.

Retrieving credential hash

Mimikatz is a popular tool for retrieving lsass memory information. The tool has been copied to the lab machines, step 9-13 walk you through the process of dumping lsass memory using Mimikatz.

Pass the Hash

Pass the hash is a hacking technique that allows an attacker to authenticate by using the underlying NTLM, instead of specifying the user password. In step 14 to 24, you will extract LabAdmin hash from lsass using Mimikatz, and use the hash to open a PowerShell console, and perform a couple of operations using the LabAdmin privilege:

Add a user to the domain admin group

Open remote PowerShell connection to a domain controller

Both operations could not be performed by the logon user. But using the hash of the LabAdmin, an attacker will be able to do it using the information retrieve from Lsass memory.

Configure and verify Credential Guard

Step 25 to 36 illustrate the steps to configure credential guard, then verify its status using msinfo32.exe and PowerShell.

Step 37 to 43 goes further to use Mimikatz to show the hash in Lsass is now encrypted using Credential Guard.

More info

The exercise illustrated the benefit of Credential Guard in Windows Server 2016 as well as Windows 10. For more information, you can find here.
Click to expand...

Source: Credential Guard lab companion Datacenter and Private Cloud Security Blog

See also:

Enable or Disable Credential Guard in Windows 10 Windows 10 Security System Tutorials

Verify if Credential Guard is Enabled or Disabled in Windows 10 Windows 10 Security System Tutorials

IvanPiacun · Mar 12, 2021

Credential Guard

When will Credential Guard be supported on the same Windows 10 Enterprise device as Barkly and VMWare Workstation Pro.

It would be nice to be able to run these products without sacrificing Credential Guard.

Moved from Insider

Ramhound · Mar 12, 2021

VMware Workstation can be run after disabling Device/Credential Guard

I try to install windows sandbox in my windows 10 home
Click to expand...

Windows Sandbox cannot be enabled on Windows 10 Home. The workaround you most likely used, does not even work, and has never actually worked. However, when you attempted to enable Windows Sandbox, it also enabled Credential Guard and Device Guard.

The first thing you need to backup any critical files you cannot live without. Depending on the state of your system you might decide it's time to simply reinstall Windows 10 Home. An alternative is to upgrade to Windows 10 Professional so you can Enable Windows Sandbox then disable it properly. The following suggestion was written against an assumption that Windows Sandbox was properly enabled and not left in a broken state due to a workaround solution on Windows 10 Home.

Windows Security -->> Device Security -->> Core Isolation -->> Memory Integrity -->> Select Off

Since you are using Windows 10 Home you will have to install the group policy editor to perform next step.

Set Local Computer Policy ->> Computer Configuration ->> Administrative Templates ->> System - Device Guard ->> Turn on
Virtualization to Disabled

Be sure Enabled with UEFI lock is not enabled.

Download the Device Guard and Credential Guard Hardware Readiness Tool and run the following command as an Administrator.

DG_Readiness_Tool_v3.6.ps1 -Disable -AutoReboot

You also need to disable both Hyper-V and Windows Sandbox. The following commands assume you are running Windows 10 Professional or Windows 10 Enterprise.

Dism /online /Enable-Feature /FeatureName:”Containers-DisposableClientVM” -All

Dism /online /Disable-Feature /FeatureName:”Containers-DisposableClientVM”

Dism /Online /Disable-Feature:Microsoft-Hyper-V

You should reboot your machine at this point

Click to expand...

Source:

Windows Sandbox Feature enables windows defender credential guard feature sets. Does not play well with VMware Workstation

Manage Windows Defender Credential Guard

VMware Player and Device/Credential Guard are not compatible

Windows 10: LSASS.DMP still have my credential after enabling Credential Guard

LSASS.DMP still have my credential after enabling Credential Guard

LSASS.DMP still have my credential after enabling Credential Guard

LSASS.DMP still have my credential after enabling Credential Guard

LSASS.DMP still have my credential after enabling Credential Guard - Similar Threads - LSASS DMP still

Credential Guard is configured to run, but is not licensed. Credential Guard was not started.

Credential Guard is configured to run, but is not licensed. Credential Guard was not started.

Credential Guard is configured to run, but is not licensed. Credential Guard was not...

Credential Guard is configured to run, but is not licensed. Credential Guard was not...

Disabling credential guard

Disabling credential guard

Credential guard not running

Credential guard not running

Enable or Disable Credential Guard in Windows 10