GCIH · Question #626
Which Microsoft tool can be used to mitigate the risk of an adversary reusing a stolen local administrator password hash?
The correct answer is B. LAPS. LAPS mitigates pass-the-hash attacks by assigning unique, randomized passwords to each machine's local administrator account, preventing credential reuse across systems.
Question
Which Microsoft tool can be used to mitigate the risk of an adversary reusing a stolen local administrator password hash?
Options
- AAttack surface reduction
- BLAPS
- CASLR
- DHeap spray protection
How the community answered
(31 responses)- A3% (1)
- B87% (27)
- C6% (2)
- D3% (1)
Why each option
LAPS mitigates pass-the-hash attacks by assigning unique, randomized passwords to each machine's local administrator account, preventing credential reuse across systems.
Attack surface reduction rules in Microsoft Defender limit exposure to exploit vectors such as macros and obfuscated scripts, but do not address the reuse of stolen credential hashes for lateral movement.
LAPS (Local Administrator Password Solution) generates and rotates a unique password for the local administrator account on each Windows endpoint, storing it securely in Active Directory. Because every machine has a different local admin password, a stolen NTLM hash from one machine cannot be reused to authenticate to other machines on the network. This directly breaks the pass-the-hash lateral movement technique that attackers rely on.
ASLR (Address Space Layout Randomization) randomizes memory addresses to prevent reliable exploit code execution, which is a code execution mitigation unrelated to stolen password hash reuse.
Heap spray protection prevents attackers from placing shellcode in predictable heap memory locations; it is a memory exploit mitigation with no relevance to stolen credential reuse or lateral movement.
Concept tested: LAPS preventing pass-the-hash lateral movement
Source: https://learn.microsoft.com/en-us/windows-server/identity/laps/laps-overview
Topics
Community Discussion
No community discussion yet for this question.