Pass-the-Hash/Ticket with Credential Guard: Is it Still Possible?

TL;DR

Credential Guard significantly reduces the risk of pass-the-hash and pass-the-ticket attacks, but doesn’t eliminate them entirely. Attackers can still succeed if they compromise a system before Credential Guard is fully enabled or exploit vulnerabilities in other areas of the network.

Understanding the Threat

Pass-the-Hash (PtH) involves stealing password hashes from memory and using them to authenticate to other systems. Pass-the-Ticket (PtT) uses Kerberos tickets, which grant access without needing a password.

Credential Guard protects credentials by isolating them in a virtualized environment, making it much harder for attackers to steal them directly from processes like lsass.exe.

How Credential Guard Helps

• Isolated LSA: The Local Security Authority (LSA) process, which handles authentication, runs in a protected virtual machine.
• Virtual TPM (vTPM): Uses a vTPM to protect keys and credentials.
• Code Integrity: Ensures only trusted code can run within the Credential Guard environment.

Can Attacks Still Succeed?

Yes, in several scenarios:

1. Pre-Credential Guard Compromise

1. Compromised System Before Enablement: If a system is compromised before Credential Guard is enabled, the attacker may already have hashes or tickets. Credential Guard won’t retroactively protect those stolen credentials.
2. Persistence Mechanisms: Attackers can establish persistence (e.g., through scheduled tasks, registry modifications) before Credential Guard is active. This allows them to regain access even after Credential Guard is enabled.

2. Exploiting Other Vulnerabilities

1. Bootkits/Rootkits: If an attacker gains control at the boot level (e.g., through a bootkit), they can bypass Credential Guard entirely.
2. Kernel-Level Exploits: A vulnerability in the Windows kernel could allow an attacker to access credentials within the protected environment.
3. Credential Dumping from Other Sources: Attackers might steal credentials from other sources (e.g., SAM database, web applications) that aren’t protected by Credential Guard.

3. Kerberoasting and AS-REP Roasting

These attacks target service accounts. Credential Guard doesn’t directly prevent them.

• Kerberoasting: Attackers request Kerberos tickets for service accounts, then crack the offline hashes.
• AS-REP Roasting: Attackers exploit misconfigured service accounts to obtain their NTLM hashes.

Rubeus -K kerberoast 

4. Golden/Silver Ticket Attacks

These attacks involve compromising the Kerberos Key Distribution Center (KDC).

• Golden Ticket: Attackers create a forged ticket granting them domain administrator privileges.
• Silver Ticket: Attackers create a forged ticket for a specific service.

Credential Guard doesn’t directly prevent these attacks, but strong account monitoring and Kerberos auditing can help detect them.

5. Credential Guard Configuration Errors

1. Incorrect Virtual TPM Settings: Misconfigured vTPM settings can weaken protection.
2. Disabled Code Integrity: Disabling code integrity allows untrusted code to run within the protected environment.

Mitigation Steps

1. Enable Credential Guard Before Compromise: Deploy Credential Guard as early as possible in your security lifecycle.
2. Secure Boot and UEFI: Ensure Secure Boot is enabled to prevent bootkits from loading.
3. Regular Patching: Keep Windows systems up-to-date with the latest security patches.
4. Least Privilege: Grant users only the necessary permissions.
5. Account Monitoring and Auditing: Monitor for suspicious account activity, especially service accounts. Enable Kerberos auditing.
6. Network Segmentation: Isolate critical systems to limit the impact of a compromise.
7. Implement Multi-Factor Authentication (MFA): MFA adds an extra layer of security even if credentials are stolen.
8. Regular Security Assessments: Conduct regular penetration tests and vulnerability scans.