🔐 Credential Guard Bypass
The well-known WDigest module, which is loaded by LSASS, has two interesting global variables:
Research:
https://itm4n.github.io/credential-guard-bypass/
PoC:
https://github.com/itm4n/Pentest-Windows/blob/main/CredGuardBypassOffsets/poc.cpp
#lsass #wdigest #credential #guard #research
The well-known WDigest module, which is loaded by LSASS, has two interesting global variables:
g_IsCredGuardEnabled and g_fParameter_UseLogonCredential. Their name is rather self explanatory, the first one holds the state of Credential Guard within the module, the second one determines whether clear-text passwords should be stored in memory. By flipping these two values, you can trick the WDigest module into acting as if Credential Guard was not enabled.Research:
https://itm4n.github.io/credential-guard-bypass/
PoC:
https://github.com/itm4n/Pentest-Windows/blob/main/CredGuardBypassOffsets/poc.cpp
#lsass #wdigest #credential #guard #research
🔥2