Join us at hack.lu 2025 — Info & Registration
Duration: 30 min
Type: Talk
Speakers: Antoine Goichot
Abstract
Local Administrator Password Solution (LAPS) automates local admin password rotation and secure storage in Active Directory (AD) or Microsoft Entra ID. It ensures that each system has a unique and strong password.
In OverLAPS: Overriding LAPS Logic, we will revisit and extend our previous research (Malicious use of “Local Administrator Password Solution”, Hack.lu 2017) by exposing client-side attacks in Windows LAPS (“LAPSv2”). After a brief overview of LAPS’s evolution, from clear-text fields in AD with Microsoft LAPS (“LAPSv1”) to encrypted AD attributes or Entra ID storage with Windows LAPS, we will explore the client-side logic of Windows LAPS. Unlike prior work that exfiltrates passwords only after directory compromise, we will focus on abusing LAPS to maintain presence on compromised endpoints, both on-prem and Entra-joined devices.
We will leverage PDB symbols and light static analysis to understand how LAPS works internally, then use Frida for dynamic hooking to capture, manipulate, and rotate admin passwords on demand. We will also reproduce Frida proof-of-concepts using Microsoft Detours for in-process hooks.
Attendees will gain practical insights into new attack vectors against Windows LAPS, enabling them to assess, reproduce, and defend against client-side attacks in their own environments.
Description
LAPS “v1” (legacy Microsoft LAPS) and “v2” (current Windows LAPS) have been studied by numerous people.
However, past research has focused on attacking LAPS from the server side, i.e. recovering passwords from AD/Entra with high privileges on the infrastructure.
This research takes a different approach: client-side approaches that grant users control over their own LAPS password, changing the LAPS password on demand.
This talk explores a new angle and shares practical techniques that hackers can experiment with and apply in their own work.
