Subscribe Now

* You will receive the latest news and updates on the Canadian IT marketplace.

Trending News

Blog Post

How to: Addressing Pass-The-Hash Attacks with Windows 10 and Credentials Guard

How to: Addressing Pass-The-Hash Attacks with Windows 10 and Credentials Guard 

One of the more infamous attacks of late is the Pass-The-Hash Attack. This attack allows an attacker to authenticate to a remote client/server using a valid user name and user password hash values retrieved from the residual memory of the machine being attacked. Once the client/server has been compromised, the attacker will then cause problems within the remote device in hopes that someone with elevated privileges will access said device to repair the problems cause by the attacker. This cycle continues until the attacker gains the desired administrator access to the organization’s infrastructure itself.

To address this attack, Microsoft took advantage of the Hyper-V capability made available in Windows 10 to run a black box or sorts that would store credential information and would only allow access of said credentials to the client kernel. In depth details of the process are detailed in the following video:


In essence Credentials Guard, formally Virtual Secure More, isolates sensitive Windows processes in a hardware based Hyper-V container. This means the isolated VM runs the Windows Kernel and a series of Trustlets or Processes within it and nothing more. The small footprint makes it difficult to attack and Credentials Guard even protects the kernel and Trustlets within the isolated VM should the Windows Kernel be compromised.

1Credentials Guard.png-550x0

This setup accesses no network, has no UI, and so cannot be tampered with by traditional methods thus eliminating the probability of today’s Pass the Hash attack.

Related posts