top | item 38856080

(no title)

RedTeamPT | 2 years ago

Yes, it requires an attacker in a powerful position with local access. However, it does not require special privileges or techniques that may trigger endpoint security (such as keyloggers or memory dumping). The only requirements are reading a JSON file and making a single Windows API call to retrieve the key.

discuss

jabart|2 years ago

It sounds like this required both local access AND a Active Directory Domain Administrator account (which should have triggered EDR at some point) which is the end game anyway. They just managed to hop out of the AD environment to a non-ad server because of the other password being in this vault. Glad they made it more user interactive to decrypt.

kadoban|2 years ago

No, the final one only required local access as the user in question (this is mentioned after the one you're referring to that required AD Domain takeover).

malfist|2 years ago

Do hardware keyloggers trigger endpoint security?

Sohcahtoa82|2 years ago

A hardware keylogger has to sit as a MitM between the keyboard and the USB port.

Sufficiently paranoid endpoint security could trip when the keyboard is unplugged and then plugged back in.

RedTeamPT|2 years ago

No, but hardware keylogger require physical access.

sumedh|2 years ago

I asked ChatGpt "where can I buy hardware keyloggers"

It just shut me down "I can't assist with that request."

eddythompson80|2 years ago

They do not

hypeatei|2 years ago

Good point.