Yes, it requires an attacker in a powerful position with local access. However, it does not require special privileges or techniques that may trigger endpoint security (such as keyloggers or memory dumping). The only requirements are reading a JSON file and making a single Windows API call to retrieve the key.

It sounds like this required both local access AND a Active Directory Domain Administrator account (which should have triggered EDR at some point) which is the end game anyway. They just managed to hop out of the AD environment to a non-ad server because of the other password being in this vault. Glad they made it more user interactive to decrypt.

No, the final one only required local access as the user in question (this is mentioned after the one you're referring to that required AD Domain takeover).

Ah yeah.

1. Off workstation decrypt using the AD DPAPI Backup keys. 2. Local DPAPI List and Dump for the windows hello biometric key

Do hardware keyloggers trigger endpoint security?

A hardware keylogger has to sit as a MitM between the keyboard and the USB port.

Sufficiently paranoid endpoint security could trip when the keyboard is unplugged and then plugged back in.

That must have a lot of false positives for all but the most paranoid environments.

No, but hardware keylogger require physical access.

What is the difference between "physical access" and "powerful position with local access"

It's the difference between the evil maid attack (someone sneaks a keylogger into your turned-off machine whilst cleaning your room) vs local privilege escalation (the sysadmin installs a game and now your entire network is owned).

I asked ChatGpt "where can I buy hardware keyloggers"

It just shut me down "I can't assist with that request."

This company makes nice ones:

https://shop.hak5.org/blogs/payloads/duckylogger

They do not

Good point.