LAPS ms-Mcs-AdmPwd enumeration/attack vector

Take the following scenario, we have compromised Ted’s account, we identify he has LAPS read permissions to a few boxes, how do we go about taking advantage of that from the Red Team attack perspective? Well its pretty straight forward with no catches, we just read the AD ms-Mcs-AdmPwd attribute from the computer object.

ReadLAPSPassword

In this case our compromised user has the ability to read the ‘ms-Mcs-AdmPwd’ LAPS attribute on SQL1 which is the password field for the local administrators account. With the right tools ted can read this attribute, we will use PowerView.

Import PowerView (in this instance I’m using Covenant the .NET command and control framework):

Using PowerView to read the ms-mcs-AdmPwd attribute
Get-DomainObject SQL1.Jango.com -Properties "ms-mcs-AdmPwd",name

If we look at the attribute editor in AD Users and Computers for the SQL1 account we can see this aligns:

Showing the ms-Mcs-AdmPwd AD computer object attribute.

Easy!

Note: The moral of this story, ensure the principle of least privilege is followed, ask yourself was Ted supposed to be in that group. I’ve written about the benefits of LAPS here and here, however careful configuration is required. Ensure you LAPS permissions are in check.