What defenses can be implemented to prevent CredSSP-based credential theft?

To defend against this attack, organizations should restrict Group Policy settings for CredSSP credential delegation—avoid enabling 'Allow delegating default credentials' unless absolutely necessary. Use the registry to set `AllowDefaultCredentials` and `AllowDefCredentialsWhenNTLMOnly` to 0. Additionally, implement LSA protection and Credential Guard, monitor for unauthorized registry changes at `HKLM\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation`, and restrict named pipe creation. For further reading on related exploitation techniques, see Process Doppelganging and Exchange file write to command execution.