laps_abuse
Last updated
Was this helpful?
Last updated
Was this helpful?
WINDOWS - LAPS ABUSE
Any Host with laps installed will have the following file
AdmPwd.dll
Find the AdmPwd.dll with powershell
gdr -PSProvider 'FileSystem' | %{ls -r $.root} 2>$null | where { $.name -eq "AdmPwd.dll"} -verbose
Get-ChildItem ‘c:\program files\LAPS\CSE\Admpwd.dll’
With PowerView, search for any GPO that has LAPS in the display name (Master Branch)
Get-DomainGPO -Identity "LAPS"
Within PowerView, see who has read access to ms-Mcs-AdmPwd (LAPS)
Get-NetOU -FullData | Get-ObjectAcl -ResolveGUIDs | Where-Object { ($.ObjectType -like 'ms-Mcs-AdmPwd') -and ($.ActiveDirectoryRights -match 'ReadProperty') }
Get-NetOU -FullData | Get-ObjectAcl -ResolveGUIDs | Where-Object { ($.ObjectType -like 'ms-Mcs-AdmPwd') -and ($.ActiveDirectoryRights -match 'ReadProperty') }
View LAPS configuration
Parse-PolFile "\IT.GCB.LOCAL\SysVol\IT.GCB.LOCAL\Policies{C3801BA8-56D9-4F54-B2BD-FE3BF1A71BAA}\Machine\Registry.pol
Find who has extended rights over computers/servers/workstations
*This will give us a list, such as AppServers, Domain Controllers, etc. Find-AdmPwdExtendedRights -Identity "*" | fl
Now we can use that list to find what we want to enumerate e.g.,
Find-AdmPwdExtendedRights -Identity "Domain Controllers" | fl
Using PowerView, Get a list of all Object ACLs for OUs of interest (and resolve GUIDs to their display names) Filter on ActiveDirectory Rights for ReadProperty Filter on ObjectAceType for ms-Mcs-AdmPwd
Get-DomainObjectAcl -SearchBase "LDAP://OU=Workstations,DC=testlab,DC=local" -ResolveGUIDs | Where-Object { $.ObjectAceType -eq "ms-Mcs-AdmPwd" -and $.A ctiveDirectoryRights -like "ReadProperty" } | Select-Object ObjectDN, SecurityIdentifier
Get-DomainObjectAcl -SearchBase "LDAP://OU=Workstations,DC=testlab,DC=local" -ResolveGUIDs | Where Object { $.ObjectAceType -eq "ms-Mcs-AdmPwd" -and $.ActiveDirectoryRights -like "ReadProperty" } | Select-Object ObjectDN, SecurityIdentifier