none
Credential guard and token stealing with mimikatz when RDPing RRS feed

  • Question

  • I was testing out the feature with my surface pro 3 (which has tpm2). I'm using mimikatz to test whether I can steal my own credentials or not.

    It seems that if I log into a computer locally that has CG enabled, it successfully protects the credentials and I can't get at them with mimikatz. The same is true if I use RSAT tools for administration.

    However, if I log into that computer using a normal user account and then rdp to a server 2012 r2 machine, and use credentials I want to protect, I can still steal them with mimikatz. 

    Have I possibly configured something wrong or is there some way to get this to work, or would I need to upgrade to Server 2016 to gain the remote credential guard feature?

    Thanks


    • Edited by torsuds Thursday, February 23, 2017 3:07 PM
    Thursday, February 23, 2017 3:06 PM

All replies

  • Hi ,

    mimikatz is a hacking tool. Microsoft does not support it. As far as I know, mimikatz is grabbing Passwords from Memory. The blew is a reference article about Securing Credentials, please check the part of "Prevent access to in-memory credentials" to protect your Credentials. Also, I notice that you performed a remote desktop to server 2012 r2 machine, please note: Enabling Credential Guard on domain controllers is not supported. The domain controller hosts authentication services which integrate with processes isolated when Credential Guard is enabled, causing crashes.

    Credential Theft and How to Secure Credentials
    "However, there is more you can do to harden the operating system to reduce the risk against tools like Mimikatz. TechNet has a great article on how to make the Local Security Authority (LSA) a protected process, by using a security hardening technique that has existed since back in the Windows Vista days. By setting the RunAsPPL registry key for the LSA, you set it up to prevent code injection that could compromise the credentials, which is essentially what Mimikatz does. One suggestion I have beyond this TechNet article is to leverage UEFI secure variables on startup, which prevents an attacker from being able to remove this protection and restart the computer. "
    https://technet.microsoft.com/en-us/security/dn920237.aspx?f=255&MSPPError=-2147217396

    If you have any concern about Credential guard, you could use the built-in "Feedback" tool to submit it.

    Best regards


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, February 24, 2017 9:44 AM
    Moderator
  • What kind of RDP connection ? Is it secured ?

    The credential guard will protect the credentials on the local machine if its enabled whether manually or using GP.

    without remote credential guard (if you don't have Windows 10 1607 or server 2016) you can use restricted admin "mstsc.exe /restrictedadmin

    For Remote Guard Please check the below article

    https://technet.microsoft.com/en-us/itpro/windows/keep-secure/remote-credential-guard?f=255&MSPPError=-2147217396

    Monday, March 6, 2017 8:22 AM

  • It seems that if I log into a computer locally that has CG enabled, it successfully protects the credentials and I can't get at them with mimikatz. The same is true if I use RSAT tools for administration.



    Did you use an local or domain account? Are local accounts also protected?
    Saturday, October 28, 2017 5:47 AM