Comprehensive data protection for all workloads
Post Reply
Posts: 90
Liked: 17 times
Joined: May 21, 2014 12:15 pm
Full Name: Remko de Koning

Veeam LAPS and Mimikatz...

Post by » 1 person likes this post

Last week I visisted a security convention in the Netherlands and attended a seminar about CyberSecurity.
Also Veeam was present on this convention.

One of the things that was really an eye opener was they way penetration testers try to gain access to your network (the ethical hacker you hire to secure your network)
One of the tools that was used was called Mimikatz (
This tool tries to read user names and passwords from the memory.
I have tried this tool myself on an isolated vanilla windows 7 machine VM and indeed the "admin" password displayed in cleartext.
The tool isself is intercepted by most antivirus scanners and also Windows Defender but in theory this tool could be used to aquire priviledged accounts.

So this started to make me think.

Veeam uses "guest OS credentials" to gain access to the machine when it tries to backup the machine.
This is often an account with many priviledges. You also often use the same account for many machines
What if one machine in your network would be compromised? What if a hacker would have gained access to this one machine and waits for a backup to occur.
Could it, in theory, be possible to read the account using this tool and gain access to more PC's or servers?

To be honest, I didn't have the time yet to test this out.

But.... It made me even wonder some more...
For all our machines we use Microsoft LAPS.
Microsoft LAPS gives every single PC or server its unique local admin account with random password.
We also use this realy nice software deployment program called PDQ Deploy and PDQ Inventory.
Just recently they introduced new functionality to use the LAPS credentials to deploy or inventory the software on each PC.
So basically what it does is use a specific account to read the password for a specific PC from Active Directory and then use these credentials to contact the PC.
So each PC/Server is contacted using their own unique local administrator account
If the account would be compromised, then only the account for that specific PC is compromised.

With this in mind I was wondering if it would be benificial for future releases of Veeam to integrate the use of LAPS to inject for the Guest OS credentials.

Any thoughts people might have on this would be great.
Perhaps there is no need to worry. I do not have enough knowledge on the subject to verify this, but I have seen stuff hapenning on this security convention and its making me nervous. These guys are really really good and I think it will be hard to keep these guys out.


Service Provider
Posts: 64
Liked: 6 times
Joined: Apr 01, 2016 5:36 pm
Full Name: Olivier

Re: Veeam LAPS and Mimikatz...

Post by orb »

+1 for LAPS integration

Posts: 1
Liked: never
Joined: Jul 18, 2019 3:57 pm

Re: Veeam LAPS and Mimikatz...

Post by mbfischer »

+1 for LAPS integration

Posts: 3
Liked: never
Joined: Apr 03, 2019 3:54 pm
Full Name: Tom

Re: Veeam LAPS and Mimikatz...

Post by ntwrkadmn »

+1 for LAPS integration

Service Provider
Posts: 68
Liked: 18 times
Joined: Feb 06, 2018 10:08 am
Full Name: Steve

Re: Veeam LAPS and Mimikatz...

Post by Steve-nIP »

Not a bad idea at all..

Service Provider
Posts: 191
Liked: 38 times
Joined: Apr 28, 2009 8:33 am
Location: Strasbourg, FRANCE

Re: Veeam LAPS and Mimikatz...

Post by NightBird » 1 person likes this post


Use of LAPS on Windows Servers ? if your AD is down (that store LAPS local admin password), How do you access your servers local admin ?
Can I ask this question => Is the use of LAPS a good idea on servers side ?

Service Provider
Posts: 9
Liked: 8 times
Joined: Oct 19, 2018 7:02 am
Full Name: Michael Engl

Re: Veeam LAPS and Mimikatz...

Post by mengl »

LAPS is especially useful for servers where you don't want to have a common (maybe weak) local Admin password.
Of course you could also assign and document an individual password per server, but in practice nobody does that.

If my AD would be down I can get the passwords using Veeam AD explorer. They are stored in plaintext as AD attribute of the computer account (of course only readably by admins :) )
One could also write a script to export those passwords on regular basis to a secure location in DR site.

SVP, Product Management
Posts: 26498
Liked: 4150 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland

Re: Veeam LAPS and Mimikatz...

Post by Gostev »

However, even better is not to have to deal with passwords at all ;) and this is the direction we're currently exploring with MSA accounts.

Post Reply

Who is online

Users browsing this forum: Bing [Bot] and 26 guests