New Research Reveals Windows Endpoint Security Vulnerability | GBAF

New Research Reveals Windows Endpoint Security Vulnerability | GBAF

Editorial & Advertiser disclosure

Global Banking and Finance Review is an online platform offering news, analysis, and opinion on the latest trends, developments, and innovations in the banking and finance industry worldwide. The platform covers a diverse range of topics, including banking, insurance, investment, wealth management, fintech, and regulatory issues. The website publishes news, press releases, opinion and advertorials on various financial organizations, products and services which are commissioned from various Companies, Organizations, PR agencies, Bloggers etc. These commissioned articles are commercial in nature. This is not to be considered as financial advice and should be considered only for information purposes. It does not reflect the views or opinion of our website and is not to be considered an endorsement or a recommendation. We cannot guarantee the accuracy or applicability of any information provided with respect to your individual or personal circumstances. Please seek Professional advice from a qualified professional before making any financial decisions. We link to various third-party websites, affiliate sales networks, and to our advertising partners websites. When you view or click on certain links available on our articles, our partners may compensate us for displaying the content to you or make a purchase or fill a form. This will not incur any additional charges to you. To make things simpler for you to identity or distinguish advertised or sponsored articles or links, you may consider all articles or links hosted on our site as a commercial article placement. We will not be responsible for any loss you may suffer as a result of any omission or inaccuracy on the website.

Home > Technology > CYBERARK LABS: EXPLOITING DOMAIN-LEVEL SERVICE CREDENTIALS

CYBERARK LABS: EXPLOITING DOMAIN-LEVEL SERVICE CREDENTIALS

Published by Gbaf News

Posted on November 18, 2016

4 min read

Last updated: January 22, 2026

Single broadband network concept illustration emphasizing Italy's telecom future - Global Banking & Finance Review — Illustration showcasing the concept of a unified broadband network in Italy, reflecting Vivendi's support for Telecom Italia's strategic overhaul to improve connectivity and streamline services.

Attackers with Local Administrator Rights Can Harvest Encrypted Service Credentials to Achieve Lateral Movement and Full Domain Compromise

CyberArk(NASDAQ: CYBR) today unveiled new research from CyberArk Labs detailing what it considers to be a significant risk across all Windows endpoints, including those on Windows 10 with Credential Guard enabled. The exploit could allow cyber attackers to harvest encrypted service credentials from the registry and inject them into a new malicious service to achieve lateral movement and full domain compromise.

Microsoft Credential Guard was introduced to mitigate the risk of lateral movement using compromised credentials, yet Credential Guard does not protect domain-level user and service credentials equally. Despite being encrypted, domain-level service credentials remain in the registry, at risk of compromise by attackers who have obtained local administrator privileges on an infected endpoint.

Similar in concept to Pass-the-Hash attacks, if fully exploited, cyber attackers could compromise and reuse an encrypted service credential – without ever needing to decrypt it – to move laterally through the organisation and ultimately be able to gain access to a domain controller.

From Stolen Credential to Domain Compromise

In a proof of concept, CyberArk Labs researchers were able to demonstrate that attackers with local administrator access on a single user’s machine could compromise domain-level service credentials and reuse them in encrypted form to achieve lateral movement and full domain compromise, even when Credential Guard is enabled. CyberArk’s testing showed that an attacker with local administrator access would not have to use malware to execute this type of attack, and by exploiting this risk, an attacker could gain full ownership of the entire domain in just minutes.

“This research is important to help organisations understand that not all credentials are protected equally, and further, encrypted credentials are not necessarily secure,” said Kobi Ben Naim, senior director of cyber research, CyberArk Labs. “By better understanding the risks associated with credential theft, organisations can prioritise mitigation strategies, starting on the endpoint.”

To learn more, including the specific attack methodology and mitigation strategies for domain-level service credential exploits, read the full CyberArk Labs report, “Stealing Service Credentials to Achieve Full Domain Compromise.”

Research from CyberArk Labs focuses on targeted attacks against organizational networks – the methods, tools and techniques employed by cyber attackers, as well as methods and techniques to detect and mitigate such attacks.

Attackers with Local Administrator Rights Can Harvest Encrypted Service Credentials to Achieve Lateral Movement and Full Domain Compromise

CyberArk(NASDAQ: CYBR) today unveiled new research from CyberArk Labs detailing what it considers to be a significant risk across all Windows endpoints, including those on Windows 10 with Credential Guard enabled. The exploit could allow cyber attackers to harvest encrypted service credentials from the registry and inject them into a new malicious service to achieve lateral movement and full domain compromise.

Microsoft Credential Guard was introduced to mitigate the risk of lateral movement using compromised credentials, yet Credential Guard does not protect domain-level user and service credentials equally. Despite being encrypted, domain-level service credentials remain in the registry, at risk of compromise by attackers who have obtained local administrator privileges on an infected endpoint.

Similar in concept to Pass-the-Hash attacks, if fully exploited, cyber attackers could compromise and reuse an encrypted service credential – without ever needing to decrypt it – to move laterally through the organisation and ultimately be able to gain access to a domain controller.

From Stolen Credential to Domain Compromise

In a proof of concept, CyberArk Labs researchers were able to demonstrate that attackers with local administrator access on a single user’s machine could compromise domain-level service credentials and reuse them in encrypted form to achieve lateral movement and full domain compromise, even when Credential Guard is enabled. CyberArk’s testing showed that an attacker with local administrator access would not have to use malware to execute this type of attack, and by exploiting this risk, an attacker could gain full ownership of the entire domain in just minutes.

“This research is important to help organisations understand that not all credentials are protected equally, and further, encrypted credentials are not necessarily secure,” said Kobi Ben Naim, senior director of cyber research, CyberArk Labs. “By better understanding the risks associated with credential theft, organisations can prioritise mitigation strategies, starting on the endpoint.”

To learn more, including the specific attack methodology and mitigation strategies for domain-level service credential exploits, read the full CyberArk Labs report, “Stealing Service Credentials to Achieve Full Domain Compromise.”

Research from CyberArk Labs focuses on targeted attacks against organizational networks – the methods, tools and techniques employed by cyber attackers, as well as methods and techniques to detect and mitigate such attacks.