CredGuard

Overview
Syntax
Remote Execution
Output
Use Cases
Example Output
Remote Execution
Detection Considerations
Related Commands

Overview

The CredGuard command checks the configuration status of Windows Defender Credential Guard, a virtualization-based security feature that protects credentials by isolating LSASS in a secure environment. Understanding Credential Guard status is crucial for assessing credential theft risk.

Syntax

Seatbelt.exe CredGuard

Remote Execution

Seatbelt.exe CredGuard -computername=TARGET.domain.com [-username=DOMAIN\user -password=pass]

Output

Returns Credential Guard configuration:

Enabled/Disabled status
Configuration method (UEFI, Registry)
Running status
Security Services Running

Use Cases

Red Team
Blue Team

Assess credential theft protection
Determine if mimikatz will work
Plan credential access strategy
Identify systems vulnerable to credential dumping

Example Output

====== CredGuard ======

CredentialGuard      : Not Configured
LsaCfgFlags          : 0
SecurityServicesRunning : 0

  [*] Credential Guard is NOT running

Remote Execution

This command supports remote execution using the -computername parameter.

Detection Considerations

Low detection risk - reads registry and WMI data.

LSASettings - LSA configuration
WindowsDefender - Defender settings
SecureBoot - Secure Boot status

LAPS SecureBoot

⌘I

Getting Started

System - OS & Environment

System - Security Configuration

System - Authentication & Access

System - Network

System - Monitoring & Enterprise

System - Advanced

User - Credentials

User - Browser Data

User - Cloud & Remote Access

User - Recent Activity

User - Communication

Misc - Event Logs

Misc - Browser History

Misc - File & Registry

Misc - System Details

Overview

Syntax

Remote Execution

Output

Use Cases

Example Output

Remote Execution

Detection Considerations

Getting Started

System - OS & Environment

System - Security Configuration

System - Authentication & Access

System - Network

System - Monitoring & Enterprise

System - Advanced

User - Credentials

User - Browser Data

User - Cloud & Remote Access

User - Recent Activity

User - Communication

Misc - Event Logs

Misc - Browser History

Misc - File & Registry

Misc - System Details

​Overview

​Syntax

​Remote Execution

​Output

​Use Cases

​Example Output

​Remote Execution

​Detection Considerations

​Related Commands

Overview

Syntax

Remote Execution

Output

Use Cases

Example Output

Remote Execution

Detection Considerations

Related Commands