Windows Server 2019 and Windows 10 Pro - Credential Guard Enabled, Mimikatz still obtaining hashes

MartinPJones 1 Reputation point
2021-01-06T23:19:09.917+00:00

After much experimentation with Device Guard and Credential Guard on Windows platforms hosted with vCenter ESXi 6.7, I've found DG does not work with Windows Server 2016, however I was able to get it "working" with Windows Server 2019 and Windows 10 Pro hosted on the same ESXi rack. I use quotation marks around working as, though the CG compatibility tool tells me the security is running, as does System Information, I am still able to extract passwords from the system using Mimikatz (sekurlsa::logonpasswords). I am not doing any injections or work beforehand to allow this, and only download mimikatz after I have enabled Credential Guard and ensured it is running.

Does anyone know why Credential Guard may not be working as intended? Thanks!

System Information:
54191-screenshot-187.png

CG Compatibility Tool output:

PS C:\Users\Administrator\Downloads\dgreadiness_v3.6\dgreadiness_v3.6> .\DG_Readiness_Tool_v3.6.ps1 -Ready  
###########################################################################  
Readiness Tool Version 3.4 Release.  
Tool to check if your device is capable to run Device Guard and Credential Guard.  
###########################################################################  
###########################################################################  
OS and Hardware requirements for enabling Device Guard and Credential Guard  
 1. OS SKUs: Available only on these OS Skus - Enterprise, Server, Education, Enterprise IoT, Pro, and Home  
 2. Hardware: Recent hardware that supports virtualization extension with SLAT  
To learn more please visit: https://aka.ms/dgwhcr  
###########################################################################  
  
Credential-Guard is enabled and running.  
HVCI is enabled and running.  
Config-CI is enabled and running. (Audit mode)  
HVCI, Credential-Guard, and Config-CI are enabled and running.  

Mimikatz Output:

mimikatz # sekurlsa::logonpasswords  
  
Authentication Id : 0 ; 248622 (00000000:0003cb2e)  
Session           : RemoteInteractive from 2  
User Name         : Administrator  
Domain            : VBS-2019  
Logon Server      : VBS-2019  
Logon Time        : 1/6/2021 12:17:26 PM  
SID               : S-1-5-21-3869050133-2886954220-3090916572-500  
        msv :  
         [00000003] Primary  
         * Username : Administrator  
         * Domain   : VBS-2019  
         * NTLM     : [Hash removed]  
         * SHA1     : [Hash removed]  
        tspkg :  
        wdigest :  
         * Username : Administrator  
         * Domain   : VBS-2019  
         * Password : (null)  
        kerberos :  
         * Username : Administrator  
         * Domain   : VBS-2019  
         * Password : (null)  
        ssp :  
        credman :  
Windows for business | Windows Client for IT Pros | Devices and deployment | Configure application groups
Windows for business | Windows Server | User experience | Other
0 comments No comments
{count} votes

3 answers

Sort by: Most helpful
  1. Anonymous
    2021-01-07T08:21:59.367+00:00

    Hi,

    Please read below article to see if it can resolve your question. It mentioned that "Despite Credential Guard, users with administrative access can still find ways to steal credentials entered on Windows machines." It also provided an example that use Mimikatz own Security Support Provider.

    Windows Credential Guard & Mimikatz
    https://blog.nviso.eu/2018/01/09/windows-credential-guard-mimikatz/

    Hope above information can help you.

    Thanks,

    Eleven

    If the answer is helpful, please click "Accept Answer" and up-vote it.


  2. Anonymous
    2021-01-08T01:31:25.813+00:00

    Hi,

    Have your VM joined any domain? Is the Credential Guard enabled before domain joining?

    Below article recommends enabling Windows Defender Credential Guard before a device is joined to a domain.
    https://learn.microsoft.com/en-us/windows/security/identity-protection/credential-guard/credential-guard-manage

    If the problem still persists, I think you might need to capture some dumps or traces to further investigate the issue, which I suggest to contact Microsoft Customer Support and Services where more in-depth investigation can be done so that you would get a more satisfying explanation and solution to this issue.
     
    You may find phone number for your region accordingly from the link below:
    Global Customer Service phone numbers
    https://support.microsoft.com/en-us/help/4051701/global-customer-service-phone-numbers

    Thanks,
    Eleven

    ----------

    If the answer is helpful, please click "Accept Answer" and up-vote it.


  3. Reza-Ameri 17,341 Reputation points Volunteer Moderator
    2021-01-10T18:12:39.2+00:00

    I suggestion open start and search for feedback and open Feedback Hub app and then take steps to reproduce this problem and share feedback to Windows team.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.