Hacker News new | ask | show | jobs
by hypeatei 895 days ago
I'm glad they made some improvements to security as a result of this finding. This "attack" is still very specialized though and requires local access which (as mentioned) could've exposed the user to keyloggers and other malware.
1 comments
RedTeamPT 895 days ago
Yes, it requires an attacker in a powerful position with local access. However, it does not require special privileges or techniques that may trigger endpoint security (such as keyloggers or memory dumping). The only requirements are reading a JSON file and making a single Windows API call to retrieve the key.
link
jabart 895 days ago
It sounds like this required both local access AND a Active Directory Domain Administrator account (which should have triggered EDR at some point) which is the end game anyway. They just managed to hop out of the AD environment to a non-ad server because of the other password being in this vault. Glad they made it more user interactive to decrypt.
link
kadoban 895 days ago
No, the final one only required local access as the user in question (this is mentioned after the one you're referring to that required AD Domain takeover).
link
jabart 895 days ago
Ah yeah.

1. Off workstation decrypt using the AD DPAPI Backup keys. 2. Local DPAPI List and Dump for the windows hello biometric key

link
malfist 895 days ago
Do hardware keyloggers trigger endpoint security?
link
Sohcahtoa82 895 days ago
A hardware keylogger has to sit as a MitM between the keyboard and the USB port.

Sufficiently paranoid endpoint security could trip when the keyboard is unplugged and then plugged back in.

link
dannyw 895 days ago
That must have a lot of false positives for all but the most paranoid environments.
link
RedTeamPT 895 days ago
No, but hardware keylogger require physical access.
link
malfist 895 days ago
What is the difference between "physical access" and "powerful position with local access"
link
Robin_Message 894 days ago
It's the difference between the evil maid attack (someone sneaks a keylogger into your turned-off machine whilst cleaning your room) vs local privilege escalation (the sysadmin installs a game and now your entire network is owned).
link
sumedh 894 days ago
I asked ChatGpt "where can I buy hardware keyloggers"

It just shut me down "I can't assist with that request."

link
ametrau 894 days ago
This company makes nice ones:

https://shop.hak5.org/blogs/payloads/duckylogger

link
eddythompson80 895 days ago
They do not
link
hypeatei 895 days ago
Good point.
link