Free call

Top Security QuickFails: #5 Attack of the CloneAdmins aka Missing LAPS

29. November 2021

#5 Attack of the CloneAdmins aka Missing LAPS

The attack

At FaulerHund AG in Munich, the employees are starting a new business year and are looking forward to new challenges. So also the administrator Karl KannNixDafür, who noticed on Thursday noon around 12:30 that the account of Ute Unbeschwert is still logged in, although she went on vacation around 11 o’clock. However, due to the fact that he has not yet had a lunch break and will return no later than 2 p.m., this problem will have to wait a little longer.

Around 1 p.m., Karl was sitting at the table of a restaurant around the corner and was about to start eating when suddenly numerous calls and text messages came in. No one in the company could work anymore and a strange message was placed on employees’ desktops.

Sample message for ransom demand by a ransomware exposure (Zimba,... | Download Scientific Diagram

Now Karl is faced with the all-important question:

How can attackers compromise a company with 1500 workstations in 2 hours?

What happened?

Ute Unbeschwert checked her e-mails shortly before her well-deserved vacation and fortunately received an e-mail with the latest travel advice. After she had gathered all the information on the portal, she could finally leave and the attacker could look around in her system 😉

After the attacker gained local admin rights on the system, he discovered that the local administrator password used was valid on all systems. Unfortunately, this remains a very common practice in companies to facilitate the initial setup of computers or servers.



However, this gave the attacker complete control over the entire company within a few minutes and allowed him to deploy his ransomware across the board.

The countermeasure

For this problem Microsoft has released a simple & ingenious tool: LAPS

This tool is configured via group policies and then takes care of the local admin accounts. The following advantages come with the use of the tool:

  • Individual admin passwords per computer
  • Long passwords (default 30 characters)
  • Automatic change of passwords in regular cycles

Thus, the compromise of a single system and the resulting disclosure of the local admin password does not immediately jeopardize the entire domain (domain admin session excluded xD).

Finally, I would like to point out that the implementation of LAPS is extremely trivial and requires very little time (maximum 2h). So read the MS documentation or consult a trusted advisor, download LAPS and get started 😉

Safety gain

Very high

*From the blog series Top Security QuickFails

You are currently viewing a placeholder content from Facebook. To access the actual content, click the button below. Please note that doing so will share data with third-party providers.

More Information
Unblock content Accept required service and unblock content

Similar posts

Top Security QuickFails

The prehistory In recent years, we have conducted an extremely large number of penetration tests at companies of all sizes [...]

Read more

6. June 2021

Top Security QuickFails: #1 Office Macros

#1 Standard Office Macros Settings The attack Our employee of the month Peter Lustig receives [...]

Weiterlesen

6. June 2021

Top Security QuickFails: #2 Domain Admins Everywhere

#2 Domain admins everywhere The attack It is a Monday morning and Kevin Vielzutun starts his monthly server check in [...]

Read more

15. June 2021

Top Security QuickFails: #3 The “invisible” network shares

#3 The “invisible” network shares The attack It’s Wednesday morning, the sun is shining and all ImmerGrün AG employees are [...]

Weiterlesen

26. August 2021