VU#164934: PDQ Deploy allows reuse of deleted credentials that can compromise a device and facilitate lateral movement
PDQ Deploy is a service used by system administrators to deploy software or updates to targeted machines within their network. It uses "run modes" for deployment, including the "Deploy User" mode which insecurely creates credentials on the target device. These credentials are deleted after a full deployment, but an attacker can compromise them before deletion using tools like Mimikatz. The compromised credentials can be used to gain administrator access on the target device or other devices enrolled in PDQ Deploy through Active Directory. To mitigate this vulnerability, system administrators should employ LAPS, follow recommendations on the PDQ Deploy website, or use alternate deploy modes like "Logged on User" which avoids the vulnerability. The "Logged on User" mode requires user input and is only available in Enterprise mode. A French source validated and coordinated this vulnerability note and case with CERT/CC.