OverLAPS: Overriding LAPS Logic

Name: OverLAPS: Overriding LAPS Logic
Description: Microsoft's Local Administrator Password Solution (LAPS) is one of the most widely deployed defenses against lateral movement in enterprise Windows environments. By ensuring every managed endpoint has

Antoine Goichot

DEF CON 33 · Day 2 · Main Stage

Microsoft's Local Administrator Password Solution (LAPS) is one of the most widely deployed defenses against lateral movement in enterprise Windows environments. By ensuring every managed endpoint has

AI review

Antoine Goichot presents original research into Windows LAPS V2 client-side DLL internals, demonstrating three post-exploitation attack classes against the LAPS client on managed endpoints: (1) password interception at rotation time by hooking ChangePasswordForManagedLocalAccount in laps.dll via Frida, (2) password desynchronization between the local SAM and the directory, and (3) on-demand forced rotation triggering by patching the expiration check return value. All attacks require existing local administrator privileges. The OverLAPS tool operationalizes these techniques.

Watch on YouTube