undefined | Better HN

0 pointsmr_mitm8mo ago0 comments

Because every time an account logs onto a computer, it leaves traces. Some ephemeral in memory, some permanent on disk. It can be Kerberos tickets, process tokens, domain cached credentials, hashes or even clear text passwords in memory. It's common practice in a lot of organizations for administrators to log on to random workstations to perform whatever task they need to do.

Or there is a service running in the context of a service user domain account. Or the password of the local administrator account is identical on all systems, which was very common before LAPS became a thing.

Yes, if you do everything perfectly and always go by best practices, none of this should be relevant, but most people aren't doing everything perfectly all of the time.

To access any of these things, you need local admin permissions. Then you can reuse them to log on to other systems.

0 comments

anonymars8mo ago

Got it. So it's less about the account itself, and more about the other account data you can only acquire with admin privileges from the local machine (almost like credential stuffing)

mannicken8mo ago

Even if you do everything perfectly there's always a chance one of Microsoft engineers made a mistake somewhere and somebody found it and is now sitting on a zero day. And now with vibe coding the likelihood of that went up by who knows how much. Even air gapped systems get infected if the attacker is sophisticated enough.

j / k navigate · click thread line to collapse