Great video !!! Unfortunately Microsoft requirements for Credential Guard are pretty "heavy". For example it will work only on windows Enterprise edition.
I'm glad I watched this. What privileges did you need to run that .exe and successfully dump lsass? Steps up to that would be flagged easily. Our soc would also see that being run and notify the client.
You would need to escalate to local admin level or a level that can install software. Saying your SOC would see this unless your running application allow listing or have SIEM rules in place isn’t a given. You should test this scenario.
@@CyberAttackDefense sounds similar to phymem2profit maybe? BTW what is the best way to reach you. I am a solo operator right now and always need people to bounce ideas off of😅.
This is a great share. I am using it and dumped the RAM, and from it the SAM hashes using volatility3. However, it would be more useful to get the actual NTLM hashes of the AD users, and this is not in the LSA secrets method from volatility3. I thought, that maybe if I carved out somehow the process data from the Lsass.exe that is in the RAM dump it would be possible to analyze it with mimikatz minidump locally. But it just fails. Am I doing something that makes no sense?
thank you for the reply@@CyberAttackDefense. I get the local user hashes from the volatility3 plugin windows.hashdump and mimikatz returns also the NT hashes of the AD users in the same host. So I was wondering if it is possible to convert the output from Winpmem and use it on mimikatz offline. I know the DA NTLM hash is there, and then just need to pass it to end the test
@@franciscog7110 You can dump the process with volatility and run mimikatz against it. Did you try using memdump? or if you have an older version of volatility there is a mimikatz plugin.
So you can’t really bypass credential guard. There are some other methods but the closest I have seen was what Oliver Lyak did here. research.ifcr.dk/pass-the-challenge-defeating-windows-defender-credential-guard-31a892eee22
Hi Brian, thank you so much the content you are putting out. In terms of detection, would it not be more robust to look for the winpmem driver hash? As modifying it would invalidate the signature. Of course, assuming that we would have the detection capabilities and incentives
This one was brought on by a fleeting chat in a SANS chat room and experimentation. I am lucky to be around other smart people with great ideas that I can test and make into reality.