OverLAPS: Overriding LAPS Logic

Presented at DEF CON 33 (2025), Aug. 9, 2025, 5:30 p.m. (20 minutes).

Local Administrator Password Solution (LAPS) automates local admin password rotation and secure storage in Active Directory (AD) or Microsoft Entra ID. It ensures that each system has a unique and strong password. In OverLAPS: Overriding LAPS Logic, we will revisit and extend our previous research (Malicious use of "Local Administrator Password Solution", Hack.lu 2017) by exposing client-side attacks in Windows LAPS ("LAPSv2"). After a brief overview of LAPS's evolution, from clear-text fields in AD with Microsoft LAPS ("LAPSv1") to encrypted AD attributes or Entra ID storage with Windows LAPS, we will explore the client-side logic of Windows LAPS. Unlike prior work that exfiltrates passwords only after directory compromise, we will focus on abusing LAPS to maintain presence on compromised endpoints, both on-prem and Entra-joined devices. We will leverage PDB symbols and light static analysis to understand how LAPS works internally, then use Frida for dynamic hooking to capture, manipulate, and rotate admin passwords on demand. We will also reproduce Frida proof-of-concepts using Microsoft Detours for in-process hooks. Attendees will gain practical insights into new attack vectors against Windows LAPS, enabling them to assess, reproduce, and defend against client-side attacks in their own environments. References: - Microsoft documentation on Windows LAPS: - What is Windows LAPS? - [link](https://learn.microsoft.com/en-us/windows-server/identity/laps/laps-overview) - Key concepts in Windows LAPS - [link](https://learn.microsoft.com/en-us/windows-server/identity/laps/laps-concepts-overview) - Existing attacks and tools: - HackTricks page on LAPS - [link](https://book.hacktricks.wiki/windows-hardening/active-directory-methodology/laps.html) - Karl Fosaaen (kfosaaen) for NetSPI Blog, Running LAPS Around Cleartext Passwords - [link](https://www.netspi.com/blog/technical-blog/network-penetration-testing/running-laps-around-cleartext-passwords/) - Karl Fosaaen (kfosaaen) "Get‑LAPSPasswords" PowerShell script - [link](https://github.com/kfosaaen/Get-LAPSPasswords) - Leo Loobeek (leoloobeek) "LAPSToolkit" PowerShell script - [link](https://github.com/leoloobeek/LAPSToolkit) - Adam Chester blog post on Windows LAPS, LAPS 2.0 Internals - [link](https://blog.xpnsec.com/lapsv2-internals/) - BloodHound "ReadLAPSPassword" page - [link](https://bloodhound.specterops.io/resources/edges/read-laps-password) - NetExec LAPS module - [link](https://github.com/Pennyw0rth/NetExec/blob/main/nxc/modules/laps.py) - Tools & Frameworks: - Frida by Ole André Vadla Ravnås - [link](https://frida.re/) - Ghidra by the NSA - [link](https://ghidra-sre.org/) - Detours by Microsoft - [link](https://github.com/microsoft/Detours) - Prior work and reference materials: - Maxime Clementz and Antoine Goichot, Malicious use of “Local Administrator Password Solution”, Hack.lu, October 2017 - [link](http://archive.hack.lu/2017/HackLU_2017_Malicious_use_LAPS_Clementz_Goichot.pdf) - Microsoft security advisory: Local Administrator Password Solution (LAPS) now available: May 1, 2015 - [link](https://support.microsoft.com/en-us/topic/microsoft-security-advisory-local-administrator-password-solution-laps-now-available-may-1-2015-404369c3-ea1e-80ff-1e14-5caafb832f53) - LAPS Operations Guide, LAPS Technical Specification - [link](https://www.microsoft.com/download/details.aspx?id=46899) - Local admin password management solution MSDN Code Gallery page (archive from September 2017) - [link](https://web.archive.org/web/20170929223316/https://code.msdn.microsoft.com/Solution-for-management-of-ae44e789) - Jiri Formacek (jformacek) / GreyCorbel "AdmPwd" solution (release 5.2.0) - [link](https://github.com/GreyCorbel/admpwd/releases/tag/v5.2.0)

Presenters:

• Antoine Goichot
  Antoine Goichot is a French cybersecurity professional and Ethical Hacker working in Luxembourg. With ten years of hands-on experience and some certifications (CRTO/CRTL, GPEN/GXPN, GDAT), he has been into hacking since junior high school. He was always trying to find clever ways to solve technical problems and tweak his computer. In high school, he jailbroke a dozen PSPs so friends could play homebrew games between classes. He later studied computer science and networks at TELECOM Nancy. Now as Senior Manager at PwC Luxembourg, Antoine leads projects for a large variety of clients including major corporations, banks, European institutions, and insurance companies. Beyond his day job, he has uncovered several vulnerabilities in Windows VPN clients, Cisco AnyConnect (CVE-2020-3433/3434/3435, CVE-2020-27123, CVE-2021-1427) and Ivanti Secure Access (CVE-2023-38042). These issues have been fixed by vendors after coordinated disclosure. Antoine has contributed to the cybersecurity community through a conference paper co-authored during his studies, blog posts, articles in the MISC magazine (French periodical), etc. He also co-presented at Hack.lu in October 2017 on "Malicious use of 'Local Administrator Password Solution'"

Similar Presentations:

• DEF CON 33 (2025) / Shaking Out Shells with SSHamble
• DEF CON 32 (2024) / Laundering Money
• DEF CON 32 (2024) / Defeating EDR Evading Malware with Memory Forensics