thomas maillo grome

I manage Intune for a living. Clicking through the portal works fine when you're dealing with a handful of devices, but once you're past a few hundred, you start writing scripts. And once you start writing scripts against Microsoft 365, you end up at Microsoft Graph whether you planned to or not.

I started writing a post about Credential Guard. Then I started testing Mimikatz in a lab to see what Credential Guard actually stops. Then I fell down a rabbit hole and this turned into something bigger than I planned. So here's the deal: I'm going to show you what Mimikatz does to an unprotected domain controller, then show you how Credential Guard shuts it down, and then tell you about all the stuff that breaks when you flip the switch. Because nobody warns you about that last part until it's too late. The attack: what Mimikatz actually does So Mimikatz. Benjamin Delpy wrote it in 2011 as a research project. He found a flaw in how Windows handles authentication and tried to report it to Microsoft. They blew him off. So he published the tool instead. It's been used in basically every major Windows credential theft since, including NotPetya and Bad Rabbit. What makes it dangerous is simple: Windows caches credential hashes in LSASS memory so you don't h...