Catching Credential Guard Off Guard

**Executive summary:** This research demonstrates practical methods to extract credentials from modern Windows systems protected by Credential Guard by leveraging Remote Credential Guard, reimplementing SSP/Negotiate/Kerberos server flows, and invoking Credential Guard NTLM/Kerberos interfaces (including obtaining crackable NTLMv1 responses); the authors provide a proof-of-concept tool (DumpGuard), discuss multiple attack scenarios and requirements (SPN or machine accounts, SYSTEM in some cases), and offer limited defensive guidance (e.g., monitor LsaCallAuthenticationPackage for specific NTLM challenge responses).