Addressing Pass-The-Hash Attacks with Windows 10 and Credentials Guard

  • Article

People and organizations have increasingly become more and more dependent on technology.  What started as a means of communication, has now evolved into a deep repository of information provided by people and organizations shared publicly or privately. Alongside this progression, digital attacks have also evolved to attempt to steal said data for malicious use.  What started back in 2003 as simple mischief, digital attacks have now evolved to steal information for financial gain or even attempt to bring down organizations. 

One of the more infamous attacks of late is the Pass-The-Hash Attack. This attack allows an attacker to authenticate to a remote client/server using a valid user name and user password hash values retrieved from the residual memory of the machine being attacked. Once the client/server has been compromised, the attacker will then cause problems within the remote device in hopes that someone with elevated privileges will access said device to repair the problems cause by the attacker. This cycle continues until the attacker gains the desired administrator access to the organization's infrastructure itself.

To address this attack, Microsoft took advantage of the Hyper-V capability made available in Windows 10 to run a black box or sorts that would store credential information and would only allow access of said credentials to the client kernel. In depth details of the process are detailed in the following video:

In essence Credentials Guard, formally Virtual Secure More, isolates sensitive Windows processes in a hardware based Hyper-V container. This means the isolated VM runs the Windows Kernel and a series of Trustlets or Processes within it and nothing more. The small footprint makes it difficult to attack and Credentials Guard even protects the kernel and Trustlets within the isolated VM should the Windows Kernel be compromised.
 

 
This setup accesses no network, has no UI, and so cannot be tampered with by traditional methods thus eliminating the probability of today's Pass the Hash attack.