What is the CredSSP protocol and how can it be abused to extract plaintext passwords?

The CredSSP (Credential Security Support Provider) protocol is used to delegate a user's plaintext password from a client to a server, commonly in Remote Desktop Services and PowerShell Remoting. By modifying Group Policy to enable 'Allow delegating default credentials' and then setting up a fake server using tools like kekeo, an attacker can force the client to send its current user's plaintext password to the attacker-controlled server. This technique does not require interacting with the lsass process, thus bypassing many protections. See this article for full details.