BEGIN:VCALENDAR
VERSION:2.0
PRODID:-//pretalx//pretalx.com//hack-lu-2025//talk//Y3DGVG
BEGIN:VTIMEZONE
TZID:CET
BEGIN:STANDARD
DTSTART:20001029T040000
RRULE:FREQ=YEARLY;BYDAY=-1SU;BYMONTH=10
TZNAME:CET
TZOFFSETFROM:+0200
TZOFFSETTO:+0100
END:STANDARD
BEGIN:DAYLIGHT
DTSTART:20000326T030000
RRULE:FREQ=YEARLY;BYDAY=-1SU;BYMONTH=3
TZNAME:CEST
TZOFFSETFROM:+0100
TZOFFSETTO:+0200
END:DAYLIGHT
END:VTIMEZONE
BEGIN:VEVENT
UID:pretalx-hack-lu-2025-Y3DGVG@pretalx.com
DTSTART;TZID=CET:20251021T170000
DTEND;TZID=CET:20251021T173000
DESCRIPTION:Local Administrator Password Solution (LAPS) automates local ad
 min password rotation and secure storage in Active Directory (AD) or Micro
 soft Entra ID. It ensures that each system has a unique and strong passwor
 d.\n\nIn OverLAPS: Overriding LAPS Logic\, we will revisit and extend our 
 previous research (Malicious use of "Local Administrator Password Solution
 "\, Hack.lu 2017) by exposing client-side attacks in Windows LAPS ("LAPSv2
 "). After a brief overview of LAPS's evolution\, from clear-text fields in
  AD with Microsoft LAPS ("LAPSv1") to encrypted AD attributes or Entra ID 
 storage with Windows LAPS\, we will explore the client-side logic of Windo
 ws LAPS. Unlike prior work that exfiltrates passwords only after directory
  compromise\, we will focus on abusing LAPS to maintain presence on compro
 mised endpoints\, both on-prem and Entra-joined devices.\n\nWe will levera
 ge PDB symbols and light static analysis to understand how LAPS works inte
 rnally\, then use Frida for dynamic hooking to capture\, manipulate\, and 
 rotate admin passwords on demand. We will also reproduce Frida proof-of-co
 ncepts using Microsoft Detours for in-process hooks.\n\nAttendees will gai
 n practical insights into new attack vectors against Windows LAPS\, enabli
 ng them to assess\, reproduce\, and defend against client-side attacks in 
 their own environments.
DTSTAMP:20260307T180101Z
LOCATION:Europe
SUMMARY:OverLAPS: Overriding LAPS Logic - Antoine Goichot
URL:https://pretalx.com/hack-lu-2025/talk/Y3DGVG/
END:VEVENT
END:VCALENDAR