Fantastic Windows Logon types and Where to Find Credentials in Them
https://www.alteredsecurity.com/post/fantastic-windows-logon-types-and-where-to-find-credentials-in-them
#windwows #credential
https://www.alteredsecurity.com/post/fantastic-windows-logon-types-and-where-to-find-credentials-in-them
#windwows #credential
Altered Security
Fantastic Windows Logon types and Where to Find Credentials in Them
Hello All,In this blog post we will explore and learn about various Windows Logon Types and understand how are these logon type events are generated. We will also see if we can extract credentials from individual logon types. We will be using our Active Directory…
🔐 Credential Guard Bypass
The well-known WDigest module, which is loaded by LSASS, has two interesting global variables:
Research:
https://itm4n.github.io/credential-guard-bypass/
PoC:
https://github.com/itm4n/Pentest-Windows/blob/main/CredGuardBypassOffsets/poc.cpp
#lsass #wdigest #credential #guard #research
The well-known WDigest module, which is loaded by LSASS, has two interesting global variables:
g_IsCredGuardEnabled and g_fParameter_UseLogonCredential. Their name is rather self explanatory, the first one holds the state of Credential Guard within the module, the second one determines whether clear-text passwords should be stored in memory. By flipping these two values, you can trick the WDigest module into acting as if Credential Guard was not enabled.Research:
https://itm4n.github.io/credential-guard-bypass/
PoC:
https://github.com/itm4n/Pentest-Windows/blob/main/CredGuardBypassOffsets/poc.cpp
#lsass #wdigest #credential #guard #research
🔥2