SSP Injection
Last updated
Was this helpful?
Last updated
Was this helpful?
Credential Guard uses Virtualization-Based Security (VBS) to protect credentials by isolating them in a secure environment. VBS creates protected memory regions that the OS cannot access, enforced by Virtual Trust Levels (VTLs). VTL0 hosts the regular Windows environment, while VTL1 runs critical security functions.
When enabled, Credential Guard moves credential storage from LSASS to an isolated process (LSAISO.exe) in VTL1, communicating with LSASS in VTL0. This prevents tools like Mimikatz, operating in VTL0, from accessing credential data. Introduced in Windows 10 and Server 2016, it is now enabled by default on modern Windows installations, though older systems may have it disabled.
Credential Guard is only designed to protect non-local users. This means that we are still able to obtain NTLM hashes for the local users on the target machine.
If we perform a attack, and Credential Guard is enabled, we won't be able to get the domain's Administrator hash, even if we know that the domain Administrator has logged into the target host. This is because we cannot obtain the cached hashes as the LSASS process only has access to this information after it has been encrypted by the LSAISO process.
To bypass Credential Guard, attackers intercept credentials during login instead of retrieving cached ones. Windows authentication uses the Security Support Provider Interface (SSPI) with providers like Kerberos and NTLM. By registering a malicious SSP via the registry or injecting it into LSASS, attackers can capture plaintext credentials as they pass through SSPI. Mimikatz’s memssp module automates this by injecting an SSP into LSASS memory, capturing credentials without writing files to disk.
At this point, when another user remotely connects to the machine their credentials will be captured.