SharpCGHunter

This tool can be used to identify the status of Windows Defender Credential Guard on network hosts.

At a high level, Credential Guard is a Windows feature that protects the host's secrets using virtualization-based security.

SharpCGHunter will query local and remote hosts to determine if Credential Guard is enabled and whether it is currently running. This tool will also return the virtualization-based security status on the host.

 _____ _                      _____ _____  _   _             _
/  ___| |                    /  __ \  __ \| | | |           | |
\ `--.| |__   __ _ _ __ _ __ | /  \/ |  \/| |_| |_   _ _ __ | |_ ___ _ __
 `--. \ '_ \ / _` | '__| '_ \| |   | | __ |  _  | | | | '_ \| __/ _ \ '__|
/\__/ / | | | (_| | |  | |_) | \__/\ |_\ \| | | | |_| | | | | ||  __/ |
\____/|_| |_|\__,_|_|  | .__/ \____/\____/\_| |_/\__,_|_| |_|\__\___|_|
                       | |
                       |_|


Usage:
SharpCGHunter.exe --host=127.0.0.1
SharpCGHunter.exe --domain=net.local

Required Arguments:
NONE            -Not specifying any arguments will execute it on the current host.

Optional Arguments:
--host=         -Specify a single remote host, a list of comma-seperated hosts, or an IP with wildcards/CIDR notations.
                 A single host argument or comma-seperated host arguments can either be IPs or host names.
                 (I.E. --host=192.168.1.1,192.168.1.2 // --host=192.168.1.0/24 // --host=192.168.1.*)

--domain=       -Specify the domain and the program will enumerate domain systems and query them for Credential Guard.
                 (I.E. --domain=TARGET.LOCAL // --domain=TARGET)

--help          - Print help information.

Versions

0.0.2:

• Added wildcard and CIDR notation to host argument

• Supports domain enumeration and querying

• Improved output with sorted results upon completion

0.0.1:

• Initial release

For reference:

Credential Guard: How it works

How to Verify if Device Guard is Enabled or Disabled in Windows 10