nerdexam
GIAC

GCIH · Question #626

Which Microsoft tool can be used to mitigate the risk of an adversary reusing a stolen local administrator password hash?

The correct answer is B. LAPS. LAPS mitigates pass-the-hash attacks by assigning unique, randomized passwords to each machine's local administrator account, preventing credential reuse across systems.

Vulnerability Exploitation & Privilege Escalation

Question

Which Microsoft tool can be used to mitigate the risk of an adversary reusing a stolen local administrator password hash?

Options

  • AAttack surface reduction
  • BLAPS
  • CASLR
  • DHeap spray protection

How the community answered

(31 responses)
  • A
    3% (1)
  • B
    87% (27)
  • C
    6% (2)
  • D
    3% (1)

Why each option

LAPS mitigates pass-the-hash attacks by assigning unique, randomized passwords to each machine's local administrator account, preventing credential reuse across systems.

AAttack surface reduction

Attack surface reduction rules in Microsoft Defender limit exposure to exploit vectors such as macros and obfuscated scripts, but do not address the reuse of stolen credential hashes for lateral movement.

BLAPSCorrect

LAPS (Local Administrator Password Solution) generates and rotates a unique password for the local administrator account on each Windows endpoint, storing it securely in Active Directory. Because every machine has a different local admin password, a stolen NTLM hash from one machine cannot be reused to authenticate to other machines on the network. This directly breaks the pass-the-hash lateral movement technique that attackers rely on.

CASLR

ASLR (Address Space Layout Randomization) randomizes memory addresses to prevent reliable exploit code execution, which is a code execution mitigation unrelated to stolen password hash reuse.

DHeap spray protection

Heap spray protection prevents attackers from placing shellcode in predictable heap memory locations; it is a memory exploit mitigation with no relevance to stolen credential reuse or lateral movement.

Concept tested: LAPS preventing pass-the-hash lateral movement

Source: https://learn.microsoft.com/en-us/windows-server/identity/laps/laps-overview

Topics

#LAPS#pass-the-hash#local administrator#credential management

Community Discussion

No community discussion yet for this question.

Full GCIH Practice