How can an attacker implement this CredSSP attack in a workgroup environment?

In a workgroup environment where NTLM authentication is used, the attacker first modifies the local Group Policy via registry commands to enable 'Allow delegating default credentials with NTLM-only server authentication'. Then, using regular user privileges, they run `tsssp::server` in kekeo to listen for connections, and `tsssp::client /target:anyword` to trigger the local client to send credentials over a named pipe. This allows capturing the current user's plaintext password without admin rights. The full command details are in the original article.