Credential Guard / LSASS Protection Logs
Location
C:\Windows\System32\winevt\Logs\Microsoft-Windows-LSA%4Operational.evtx and C:\Windows\System32\winevt\Logs\Microsoft-Windows-Wininit%4Operational.evtxDescription
LSA operational and Wininit logs record Credential Guard status, LSASS process protection (RunAsPPL) enforcement, credential isolation events, and attempts to access protected credentials. These logs indicate whether hardware-based credential isolation was active during the incident.
Forensic Value
These logs confirm whether Credential Guard and LSASS protection were active at the time of compromise, directly impacting the scope of credential exposure. If Credential Guard was enabled, NTLM hashes and Kerberos TGTs were isolated in a hardware-secured container, meaning standard credential dumping tools like Mimikatz would have failed. Event ID 5004 in the LSA operational log records when a caller was denied access to LSA secrets, providing evidence of credential theft attempts. The Wininit log captures LSASS initialization including whether PPL (Protected Process Light) was enforced, and any events showing PPL was disabled or bypassed are critical indicators of a sophisticated attack targeting credential stores.
Tools Required
Collection Commands
EvtxECmd
EvtxECmd.exe -d "C:\Windows\System32\winevt\Logs\" --inc "LSA,Wininit" --csv C:\output\ --csvf lsa_cred_guard.csv
PowerShell
Get-WinEvent -LogName "Microsoft-Windows-LSA/Operational" | Export-Csv C:\output\lsa_operational.csv -NoTypeInformation
PowerShell
Get-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" | Select-Object RunAsPPL,LsaCfgFlags | Format-List