NativeBypassCredGuard - Exploiting NTAPI to Bypass Windows Credential Guard

NativeBypassCredGuard - Exploiting NTAPI to Bypass Windows Credential Guard

NativeBypassCredGuard is a tool designed to bypass Microsoft's Credential Guard by leveraging NTAPI functions to manipulate the WDigest.dll file. This guide provides an overview of its functionality, usage, and technical details.

Overview

Credential Guard is a security feature in Windows that uses virtualization-based security (VBS) to isolate and protect credentials, such as NTLM password hashes and Kerberos tickets, from unauthorized access.

It prevents attackers from dumping credentials stored in the Local Security Authority Subsystem Service (LSASS) memory. However, NativeBypassCredGuard circumvents this protection by patching specific variables in the WDigest.dll module loaded by LSASS.

How NativeBypassCredGuard Works

NativeBypassCredGuard uses NTAPI functions (exported by ntdll.dll) to locate and patch specific variables in the WDigest.dll file:

  1. Variable Identification:

    • g_fParameter_UseLogonCredential: Determines whether plaintext credentials are cached.

    • g_IsCredGuardEnabled: Indicates whether Credential Guard is enabled.

  2. Patching Process:

    • The tool searches for a specific byte pattern (39 ?? ?? ?? ?? 00 8b ?? ?? ?? ?? 00) in the .text section of WDigest.dll to locate the memory addresses of these variables.

    • It sets g_fParameter_UseLogonCredential to 1 (enabling plaintext caching) and g_IsCredGuardEnabled to 0 (disabling Credential Guard).

  3. Effects:

    • After patching, plaintext credentials are stored in LSASS memory during subsequent logins.

    • This allows attackers to extract cleartext passwords by dumping LSASS memory.

NTAPI Functions Used

The tool exclusively uses NTAPI functions for its operations, avoiding user-mode hooks or other security mechanisms:

  • Privilege Escalation: NtOpenProcessToken, NtAdjustPrivilegesToken (to enable SeDebugPrivilege).

  • File Handling: NtCreateFile, NtReadFile (to open and read the DLL file).

  • Process Interaction: NtGetNextProcess, NtQueryInformationProcess, NtReadVirtualMemory (to locate and interact with LSASS and its modules).

  • Memory Manipulation: NtWriteProcessMemory (to patch values).

Optional Feature: Ntdll Remapping

To bypass user-mode hooks and ensure clean execution, NativeBypassCredGuard can remap a clean version of ntdll.dll. This involves:

  • Extracting a clean version of ntdll.dll from a debugged process.

  • Using it to avoid detection by endpoint protection mechanisms.

Usage

The tool supports two main operations: checking current variable values and patching them.

Syntax

NativeBypassCredGuard.exe <OPTION> <REMAP-NTDLL>

Options

  • check: Reads current values of the variables.

  • patch: Writes new values to enable plaintext credential caching.

Remap Ntdll (Optional)

  • true: Enables ntdll remapping.

  • false (or omitted): Disables ntdll remapping.

Examples

1.Check current values without remapping:

NativeBypassCredGuard.exe check

2.Patch values with ntdll remapping:

NativeBypassCredGuard.exe patch true

Technical Notes

  • The tool is designed for 64-bit systems and must be compiled as a 64-bit binary.

  • It requires administrative privileges to interact with LSASS.

  • If the Process Environment Block (PEB) structure is unreadable, an alternative method using kernel32!LoadLibrary can be employed to load WDigest.dll.

Limitations

  1. The tool will fail if it cannot obtain a handle to LSASS or access the required memory regions.

  2. Credential Guard only protects credentials cached while it is enabled. If disabled or bypassed, subsequent logons are not protected.

Security Implications

While Credential Guard significantly enhances credential protection using VBS, tools like NativeBypassCredGuard demonstrate that attackers with administrative privileges can still manipulate system processes to extract sensitive information.

This highlights the importance of multi-layered security strategies beyond Credential Guard. You can learn more and Download NativeBypassCredGuard in GitHub.

Upgrade Your Cybersecurity Skills EHA: Learn 150+ Practical Cyber Security Courses Online With Life Time Access - Enroll Here

 

Back to blog