🔐 Credential Guard Bypass
The well-known WDigest module, which is loaded by LSASS, has two interesting global variables:
Research:
https://itm4n.github.io/credential-guard-bypass/
PoC:
https://github.com/itm4n/Pentest-Windows/blob/main/CredGuardBypassOffsets/poc.cpp
#lsass #wdigest #credential #guard #research
The well-known WDigest module, which is loaded by LSASS, has two interesting global variables:
g_IsCredGuardEnabled and g_fParameter_UseLogonCredential. Their name is rather self explanatory, the first one holds the state of Credential Guard within the module, the second one determines whether clear-text passwords should be stored in memory. By flipping these two values, you can trick the WDigest module into acting as if Credential Guard was not enabled.Research:
https://itm4n.github.io/credential-guard-bypass/
PoC:
https://github.com/itm4n/Pentest-Windows/blob/main/CredGuardBypassOffsets/poc.cpp
#lsass #wdigest #credential #guard #research
🔥2
APT
🔐 Credential Guard Bypass The well-known WDigest module, which is loaded by LSASS, has two interesting global variables: g_IsCredGuardEnabled and g_fParameter_UseLogonCredential. Their name is rather self explanatory, the first one holds the state of Credential…
🔐 Combination of 2 PoCs for bypassing Credential Guard with in-memory invocation
PoC 1 (patch wdigest.dll):
https://gist.github.com/N4kedTurtle/8238f64d18932c7184faa2d0af2f1240
PoC 2 (find variable offsets in runtime):
https://github.com/itm4n/Pentest-Windows/blob/main/CredGuardBypassOffsets/poc.cpp
Merged:
https://gist.github.com/snovvcrash/43e976779efdd20df1596c6492198c99
#lsass #wdigest #credguard
PoC 1 (patch wdigest.dll):
https://gist.github.com/N4kedTurtle/8238f64d18932c7184faa2d0af2f1240
PoC 2 (find variable offsets in runtime):
https://github.com/itm4n/Pentest-Windows/blob/main/CredGuardBypassOffsets/poc.cpp
Merged:
https://gist.github.com/snovvcrash/43e976779efdd20df1596c6492198c99
#lsass #wdigest #credguard
🔥4👍3