How to: Addressing Pass-The-Hash Attacks with Windows 10 and Credentials Guard
One of the more infamous attacks of late is the Pass-The-Hash Attack. This attack allows an attacker to authenticate to a remote client/server using a valid user name and user password hash values retrieved from the residual memory of the machine being attacked. Once the client/server has been compromised, the attacker will then cause problems within the remote device in hopes that someone with elevated privileges will access said device to repair the problems cause by the attacker. This cycle continues until the attacker gains the desired administrator access to the organization’s infrastructure itself.
To address this attack, Microsoft took advantage of the Hyper-V capability made available in Windows 10 to run a black box or sorts that would store credential information and would only allow access of said credentials to the client kernel. In depth details of the process are detailed in the following video:
In essence Credentials Guard, formally Virtual Secure More, isolates sensitive Windows processes in a hardware based Hyper-V container. This means the isolated VM runs the Windows Kernel and a series of Trustlets or Processes within it and nothing more. The small footprint makes it difficult to attack and Credentials Guard even protects the kernel and Trustlets within the isolated VM should the Windows Kernel be compromised.
This setup accesses no network, has no UI, and so cannot be tampered with by traditional methods thus eliminating the probability of today’s Pass the Hash attack.
SAMSUNG GALAXY S8 PLUS
The Samsung Galaxy S8 Plus is a beautifully crafted smartphone with nearly no bezel, curvaceous in design and reflects a…
How to: Connect to Exchange Online Using Multi-Factor Authentication
Using PowerShell to manage your Microsoft cloud services like Exchange Online and using multi-factor authentication (MFA) separately is awesome. Using…