Credential Guard is a virtualization-based isolation technology for LSASS which prevents attackers from stealing credentials that could be used for pass the hash attacks.[1][2][3][4] Credential Guard was introduced with Microsoft's Windows 10 operating system.[1] As of Windows 10 version 20H1, Credential Guard is only available in the Enterprise edition of the operating system.


After compromising a system, attackers often attempt to extract any stored credentials for further lateral movement through the network. A prime target is the LSASS process, which stores NTLM and Kerberos credentials. Credential Guard prevents attackers from dumping credentials stored in LSASS by running LSASS in a virtualized container that even a user with SYSTEM privileges cannot access.[5] The system then creates a proxy process called LSAIso (LSA Isolated) for communication with the virtualized LSASS process.[6][3][7]

Bypass techniques

There are several generic techniques for stealing credentials on systems with Credential Guard:


  1. ^ a b "Protect derived domain credentials with Windows Defender Credential Guard". Windows IT Pro Center. Retrieved 14 September 2018.
  2. ^ "Analysis of the attack surface of windows 10 virtualization-based security" (PDF). Retrieved 13 November 2018.
  3. ^ a b c Yosifovich, Pavel; Russinovich, Mark (5 May 2017). Windows Internals, Part 1: System architecture, processes, threads, memory management, and more, Seventh Edition. Microsoft Press. ISBN 978-0-13-398647-1.
  4. ^ "Credential Guard Cheat Sheet". Retrieved 13 November 2018.
  5. ^ "Deep Dive into Credential Guard, Credential Theft & Lateral Traversal". Microsoft Virtual Academy. Retrieved 17 September 2018.
  6. ^ "Windows 10 Device Guard and Credential Guard Demystified". Microsoft TechNet, Ash's blog. Retrieved 17 September 2018.
  7. ^ "Technique: Credential Dumping". Retrieved 8 July 2019.
  8. ^ a b "Windows Credential Guard & Mimikatz". nviso labs. 2018-01-09. Retrieved 14 September 2018.
  9. ^ "Third party Security Support Providers with Credential Guard". Windows Dev Center. Retrieved 14 September 2018.
  10. ^ "Retrieving NTLM Hashes without touching LSASS: the "Internal Monologue" Attack". Retrieved 5 November 2018.