Skip to content
/ CredentialGuardBypass Public

By manipulating LSASS memory flags like UseLogonCredential and IsCredGuardEnabled, this repo demonstrates how Credential Guard can be bypassed—restoring cleartext credentials despite the protection appearing active. Requires SYSTEM-level access and targets VBS-based defenses.

10 stars 1 fork Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

ErenCanOzmn/CredentialGuardBypass

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

4 Commits
README.md
README.md
 
 
credguard.cpp
credguard.cpp
 
 

Repository files navigation

CredentialGuardBypass – Bypassing Credential Guard via LSASS Memory Manipulation

This project demonstrates a technique to bypass Microsoft Credential Guard by directly manipulating memory structures within the lsass.exe process.

Overview

Credential Guard is a security feature introduced by Microsoft that uses Virtualization-Based Security (VBS) to protect credentials from being stolen, even by attackers with administrative privileges. It does so by isolating LSASS and storing secrets (such as password hashes) in a protected virtual environment.

image

However, if an attacker already has SYSTEM-level access, it's possible to:

Locate specific memory structures related to credential handling in LSASS, Patch flags such as UseLogonCredential and IsCredGuardEnabled directly in memory, Trigger the system to treat LSASS as if Credential Guard were not active, Extract cleartext credentials on subsequent logins.

This repo includes:

Methods for obtaining a handle to LSASS using NtQuery/NtOpen APIs Signature scanning within wdigest.dll to locate offset values How to calculate virtual addresses for targeted variables Patch process for changing values in LSASS memory Demonstration of cleartext credential recovery post-manipulation

Requirements

SYSTEM privileges (e.g., via SeDebugPrivilege or kernel exploit) - By default local admin users have these.

Example

This section demonstrates the process of bypassing Credential Guard by manipulating LSASS memory directly.

1. Initial Flag Values in LSASS Memory

The UseLogonCredential and IsCredGuardEnabled flags initially show:

UseLogonCredential = 0 IsCredGuardEnabled = 1

2. Checking Current LSASS Memory State

Using the tool dizmana_credguard.exe, the current values of these flags are verified:

powershell .\dizmana_credguard.exe check

image

3. Patching LSASS Memory

The values are patched in memory to:

UseLogonCredential = 1 IsCredGuardEnabled = 0

image

4. Credential Dumping via Mimikatz

After patching and re-authentication, cleartext passwords become visible in memory and can be extracted using tools like Mimikatz.

image

References

https://github.com/ricardojoserf/NativeBypassCredGuard
https://learn.microsoft.com/en-us/windows/security/identity-protection/credential-guard/
https://www.microsoft.com/en-us/security/blog/2022/10/05/detecting-and-preventing-lsass-credential-dumping-attacks/
https://www.blackhat.com/docs/us-16/materials/us-16-Wojtczuk-Analysis-Of-The-Attack-Surface-Of-Windows-10-Virtualization-Based-Security.pdf

About

By manipulating LSASS memory flags like UseLogonCredential and IsCredGuardEnabled, this repo demonstrates how Credential Guard can be bypassed—restoring cleartext credentials despite the protection appearing active. Requires SYSTEM-level access and targets VBS-based defenses.

Topics

windows active-directory cybersecurity security-tools mimikatz windows-security lsass active-directory-security lsass-dump credential-guard

Resources

Readme
Activity

Stars

10 stars

Watchers

1 watching

Forks

1 fork
Report repository

Releases 1

CredentialGuardBypass v1.0 Latest
May 25, 2025

Packages

No packages published

Languages