2025-10-21 –, Europe
Local Administrator Password Solution (LAPS) automates local admin password rotation and secure storage in Active Directory (AD) or Microsoft Entra ID. It ensures that each system has a unique and strong password.
In OverLAPS: Overriding LAPS Logic, we will revisit and extend our previous research (Malicious use of "Local Administrator Password Solution", Hack.lu 2017) by exposing client-side attacks in Windows LAPS ("LAPSv2"). After a brief overview of LAPS's evolution, from clear-text fields in AD with Microsoft LAPS ("LAPSv1") to encrypted AD attributes or Entra ID storage with Windows LAPS, we will explore the client-side logic of Windows LAPS. Unlike prior work that exfiltrates passwords only after directory compromise, we will focus on abusing LAPS to maintain presence on compromised endpoints, both on-prem and Entra-joined devices.
We will leverage PDB symbols and light static analysis to understand how LAPS works internally, then use Frida for dynamic hooking to capture, manipulate, and rotate admin passwords on demand. We will also reproduce Frida proof-of-concepts using Microsoft Detours for in-process hooks.
Attendees will gain practical insights into new attack vectors against Windows LAPS, enabling them to assess, reproduce, and defend against client-side attacks in their own environments.
LAPS "v1" (legacy Microsoft LAPS) and "v2" (current Windows LAPS) have been studied by numerous people.
However, past research has focused on attacking LAPS from the server side, i.e. recovering passwords from AD/Entra with high privileges on the infrastructure. 
 This research takes a different approach: client-side approaches that grant users control over their own LAPS password, changing the LAPS password on demand.
This talk explores a new angle and shares practical techniques that hackers can experiment with and apply in their own work.
Antoine Goichot is a cybersecurity professional and Ethical Hacker. With ten years of hands-on experience and some certifications (CRTO/CRTL, GPEN/GXPN, GDAT), he has been into hacking since junior high school. He was always trying to find clever ways to solve technical problems and tweak his computer. In high school, he jailbroke a dozen PSPs so friends could play homebrew games between classes. He later studied computer science and networks at TELECOM Nancy.
 Now as Senior Manager at PwC Luxembourg, Antoine leads projects for a large variety of clients including major corporations, banks, European institutions, and insurance companies. Beyond his day job, he has uncovered several vulnerabilities in Windows VPN clients, Cisco AnyConnect (CVE-2020-3433/3434/3435, CVE-2020-27123, CVE-2021-1427) and Ivanti Secure Access (CVE-2023-38042). These issues have been fixed by vendors after coordinated disclosure.
 Antoine has contributed to the cybersecurity community through a conference paper co-authored during his studies, blog posts, articles in the MISC magazine (French periodical), etc. He also co-presented at Hack.lu in October 2017 on "Malicious use of 'Local Administrator Password Solution'"
 
 