Bypassing LAPS: How to Hook Client-Side Logic for Credential Access

TLDR: Microsoft’s Local Administrator Password Solution (LAPS) is often treated as a black box, but its client-side logic is surprisingly accessible to anyone with local administrative rights. By using instrumentation tools like Frida or Microsoft Detours, researchers can hook internal functions to capture cleartext passwords or force password rotations on demand. This research proves that LAPS is not a silver bullet and that local system compromise remains the ultimate game-over scenario for credential management.

Security professionals have long relied on LAPS to solve the nightmare of static, shared local administrator passwords. It is a standard component of modern Windows environments, designed to rotate passwords and store them securely in Active Directory or Entra ID. Because it is a Microsoft-native solution, many administrators assume it is tamper-proof. That assumption is a mistake. If an attacker gains local administrative access to a machine, the LAPS client-side logic is not just visible; it is fully manipulatable.

The Mechanics of the Hook

The core of this research centers on the client-side implementation of LAPS, specifically the laps.dll library. While LAPS does a decent job of protecting passwords from unauthorized network access, it relies on the local machine to perform the heavy lifting of password generation and directory updates. This creates a fundamental dependency: the machine must be able to "talk" to the directory to report its new password.

By using Frida, a dynamic instrumentation toolkit, we can inject custom scripts into the laps.dll process. The goal is to intercept the function calls that handle password updates. When the LAPS service triggers a rotation, it calls specific internal functions to generate a new password and push it to the directory. By hooking these functions, we can intercept the password buffer before it is encrypted or sent over the wire.

Consider the SetSamSetPasswordForeignUser2 function within the SAM server DLL. This function is responsible for updating the local administrator password. By instrumenting this call, we can read the memory address containing the new password string. The following snippet demonstrates the logic required to hook this function and dump the password to your console:

Interceptor.attach(Module.findExportByName("samsrv.dll", "SamSetPasswordForeignUser2"), {
    onEnter: function(args) {
        // The password is in the Unicode string structure at the specified offset
        var passwordPtr = args[3]; 
        console.log("Captured LAPS Password: " + Memory.readUtf16String(passwordPtr));
    }
});

This technique works because the LAPS service runs with high privileges, and if you have already achieved local admin, you can bypass the protections that would normally prevent a standard user from inspecting these memory spaces.

Forcing Rotation on Demand

Capturing the password is only half the battle. A more aggressive approach involves forcing the LAPS service to rotate the password whenever you want. This is useful if you are waiting for a scheduled rotation that might take hours or days.

The LAPS client-side logic includes a check to see if the current password has expired. By hooking the CheckADPasswordUpdateFactors function, we can force the return value to indicate that the password is expired, even if it is not. This tricks the LAPS service into immediately initiating a rotation cycle. Once the cycle starts, the service generates a new password, updates the directory, and sets the new password locally. Because we have already hooked the update function, we capture the new password the moment it is generated.

This is a classic example of a logic flaw. We are not exploiting a memory corruption bug or a buffer overflow; we are simply telling the application to do its job on our schedule.

Real-World Engagement Impact

On a typical penetration test, you might find yourself with local administrator access but no clear path to domain dominance. If the target environment uses LAPS, you are essentially sitting on a goldmine of credentials that rotate regularly. Instead of running noisy credential dumping tools that trigger EDR alerts, you can use these instrumentation techniques to silently harvest the local administrator password every time it rotates.

This is particularly effective in environments where the local administrator account is used for lateral movement across workstations. By capturing the password, you can move laterally without needing to crack hashes or perform pass-the-hash attacks.

Defensive Considerations

Defending against this requires a shift in mindset. You cannot rely on LAPS to protect credentials if the underlying operating system is already compromised. The most effective defense is to prevent the initial local administrative compromise. If an attacker has local admin, they can disable LSA Protection, bypass EDR, and hook any process they choose.

Ensure that your EDR solution is configured to detect unauthorized process injection, particularly when tools like Frida are used against system services. Additionally, monitor for unexpected LAPS password rotation events in your logs. If you see a sudden spike in password changes for a specific machine, it is a strong indicator that someone is manually triggering the rotation logic.

Ultimately, this research serves as a reminder that security controls are only as strong as the environment they run in. The client-side logic of LAPS is a powerful tool for administrators, but it is also a powerful tool for those who know how to look under the hood. Keep your systems patched, monitor your process memory, and never assume that a built-in security feature is immune to manipulation.