Windows Server 2019 and Windows 10 Pro - Credential Guard Enabled, Mimikatz still obtaining hashes

Question

Windows Server 2019 and Windows 10 Pro - Credential Guard Enabled, Mimikatz still obtaining hashes

MartinPJones 1

After much experimentation with Device Guard and Credential Guard on Windows platforms hosted with vCenter ESXi 6.7, I've found DG does not work with Windows Server 2016, however I was able to get it "working" with Windows Server 2019 and Windows 10 Pro hosted on the same ESXi rack. I use quotation marks around working as, though the CG compatibility tool tells me the security is running, as does System Information, I am still able to extract passwords from the system using Mimikatz (sekurlsa::logonpasswords). I am not doing any injections or work beforehand to allow this, and only download mimikatz after I have enabled Credential Guard and ensured it is running.

Does anyone know why Credential Guard may not be working as intended? Thanks!

System Information:

CG Compatibility Tool output:

PS C:\Users\Administrator\Downloads\dgreadiness_v3.6\dgreadiness_v3.6> .\DG_Readiness_Tool_v3.6.ps1 -Ready  
###########################################################################  
Readiness Tool Version 3.4 Release.  
Tool to check if your device is capable to run Device Guard and Credential Guard.  
###########################################################################  
###########################################################################  
OS and Hardware requirements for enabling Device Guard and Credential Guard  
 1. OS SKUs: Available only on these OS Skus - Enterprise, Server, Education, Enterprise IoT, Pro, and Home  
 2. Hardware: Recent hardware that supports virtualization extension with SLAT  
To learn more please visit: https://aka.ms/dgwhcr  
###########################################################################  
  
Credential-Guard is enabled and running.  
HVCI is enabled and running.  
Config-CI is enabled and running. (Audit mode)  
HVCI, Credential-Guard, and Config-CI are enabled and running.

Mimikatz Output:

mimikatz # sekurlsa::logonpasswords  
  
Authentication Id : 0 ; 248622 (00000000:0003cb2e)  
Session           : RemoteInteractive from 2  
User Name         : Administrator  
Domain            : VBS-2019  
Logon Server      : VBS-2019  
Logon Time        : 1/6/2021 12:17:26 PM  
SID               : S-1-5-21-3869050133-2886954220-3090916572-500  
        msv :  
         [00000003] Primary  
         * Username : Administrator  
         * Domain   : VBS-2019  
         * NTLM     : [Hash removed]  
         * SHA1     : [Hash removed]  
        tspkg :  
        wdigest :  
         * Username : Administrator  
         * Domain   : VBS-2019  
         * Password : (null)  
        kerberos :  
         * Username : Administrator  
         * Domain   : VBS-2019  
         * Password : (null)  
        ssp :  
        credman :

3 answers

Your answer

Answer 1

Anonymous

Hi,

Please read below article to see if it can resolve your question. It mentioned that "Despite Credential Guard, users with administrative access can still find ways to steal credentials entered on Windows machines." It also provided an example that use Mimikatz own Security Support Provider.

Windows Credential Guard & Mimikatz
https://blog.nviso.eu/2018/01/09/windows-credential-guard-mimikatz/

Hope above information can help you.

Thanks,

Eleven

If the answer is helpful, please click "Accept Answer" and up-vote it.

MartinPJones 1 Reputation point

2021-01-07T21:38:15.94+00:00

Hi, I'm afraid this does not help. The issue currently is that Mimikatz is still able to access the hashes stored within the LSA -- it does not appear they're being moved to the isolated LSA where Mimikatz would not be able to reach them. It is possible using the Mimikatz SSP to get credential, however that would require injecting it into the running memory and reading the credentials as their given rather than pulling them from cache. While CredentialGuard won't protect against SSP injection, it should be protecting against direct access into the LSA, which it is not -- the difference being the ability to pull all cached passwords versus the ability to grab password as they're sent in, and a system reboot wiping the SSP for the latter.

Answer 2

Hi,

Have your VM joined any domain? Is the Credential Guard enabled before domain joining?

Below article recommends enabling Windows Defender Credential Guard before a device is joined to a domain.
https://learn.microsoft.com/en-us/windows/security/identity-protection/credential-guard/credential-guard-manage

If the problem still persists, I think you might need to capture some dumps or traces to further investigate the issue, which I suggest to contact Microsoft Customer Support and Services where more in-depth investigation can be done so that you would get a more satisfying explanation and solution to this issue.

You may find phone number for your region accordingly from the link below:
Global Customer Service phone numbers
https://support.microsoft.com/en-us/help/4051701/global-customer-service-phone-numbers

Thanks,
Eleven

----------

If the answer is helpful, please click "Accept Answer" and up-vote it.

MartinPJones 1 Reputation point

2021-01-08T01:49:47.177+00:00

I'll definitely give them a call, thanks! The device is not domain-bound, so should be no issue there. Hopefully customer service can help!

Answer 3

Reza-Ameri 17,341 Volunteer Moderator

I suggestion open start and search for feedback and open Feedback Hub app and then take steps to reproduce this problem and share feedback to Windows team.

Share via

Windows Server 2019 and Windows 10 Pro - Credential Guard Enabled, Mimikatz still obtaining hashes

3 answers

Eleven

Your answer