[RedTeamPT]

Yes, it requires an attacker in a powerful position with local access. However, it does not require special privileges or techniques that may trigger endpoint security (such as keyloggers or memory dumping). The only requirements are reading a JSON file and making a single Windows API call to retrieve the key.

[jabart]

It sounds like this required both local access AND a Active Directory Domain Administrator account (which should have triggered EDR at some point) which is the end game anyway. They just managed to hop out of the AD environment to a non-ad server because of the other password being in this vault. Glad they made it more user interactive to decrypt.

[kadoban]

No, the final one only required local access as the user in question (this is mentioned after the one you're referring to that required AD Domain takeover).

[jabart]

Ah yeah.

1. Off workstation decrypt using the AD DPAPI Backup keys. 2. Local DPAPI List and Dump for the windows hello biometric key

[malfist]

Do hardware keyloggers trigger endpoint security?

[Sohcahtoa82]

A hardware keylogger has to sit as a MitM between the keyboard and the USB port.

Sufficiently paranoid endpoint security could trip when the keyboard is unplugged and then plugged back in.

[dannyw]

That must have a lot of false positives for all but the most paranoid environments.

[RedTeamPT]

No, but hardware keylogger require physical access.

[malfist]

What is the difference between "physical access" and "powerful position with local access"

[Robin_Message]

It's the difference between the evil maid attack (someone sneaks a keylogger into your turned-off machine whilst cleaning your room) vs local privilege escalation (the sysadmin installs a game and now your entire network is owned).

[sumedh]

I asked ChatGpt "where can I buy hardware keyloggers"

It just shut me down "I can't assist with that request."

[ametrau]

This company makes nice ones:

https://shop.hak5.org/blogs/payloads/duckylogger

[eddythompson80]

They do not

[hypeatei]

Good point.