Credential Guard

Credential Guard is a virtualization-based isolation technology for LSASS which prevents attackers from stealing credentials that could be used for pass the hash attacks. Credential Guard was introduced with Microsoft's Windows 10 operating system. As of Windows 10 version 20H1, Credential Guard is only available in the Enterprise edition of the operating system.

Summary
After compromising a system, attackers often attempt to extract any stored credentials for further lateral movement through the network. A prime target is the LSASS process, which stores NTLM and Kerberos credentials. Credential Guard prevents attackers from dumping credentials stored in LSASS by running LSASS in a virtualized container that even a user with SYSTEM privileges cannot access. The system then creates a proxy process called LSAIso (LSA Isolated) for communication with the virtualized LSASS process.

Bypass techniques
There are several generic techniques for stealing credentials on systems with Credential Guard:


 * A keylogger running on the system will capture any typed passwords.
 * A user with administrator privileges can install a new Security Support Provider (SSP). The new SSP will not be able to access stored password hashes, but will be able to capture all passwords after the SSP is installed.
 * Extract stored credentials from another source, as is performed in the "Internal Monologue" attack (which uses SSPI to retrieve crackable NetNTLMv1 hashes).