Credential Guard is a virtualization-based isolation technology forLSASS which prevents attackers from stealing credentials that could be used forpass the hash attacks.[1][2][3][4] Credential Guard was introduced withMicrosoft'sWindows 10 operating system.[1] As of Windows 11 version 22H2, Credential Guard is only available in the Enterprise edition of the operating system.[5]
After compromising a system, attackers often attempt to extract any stored credentials for further lateral movement through the network. A prime target is theLSASS process, which stores NTLM andKerberos credentials. Credential Guard prevents attackers from dumping credentials stored in LSASS by running LSASS in a virtualized container that even a user with SYSTEM privileges cannot access.[6] The system then creates a proxy process called LSAIso (LSA Isolated) for communication with the virtualized LSASS process.[7][3][8]
There are several generic techniques for stealing credentials on systems with Credential Guard: