Skip to content
Threat Feed
high advisory

Detecting Windows LAPS Password Gathering via PowerShell

This brief outlines detection strategies for adversaries attempting to retrieve LAPS passwords using PowerShell and the 'ms-Mcs-AdmPwd' property, potentially leading to lateral movement and privilege escalation within a Windows domain.

This threat focuses on detecting malicious actors attempting to gather Local Administrator Password Solution (LAPS) passwords via PowerShell. Microsoft LAPS is used to manage local administrator accounts within an Active Directory (AD) domain, automating password rotation and storage. While beneficial for security, a poorly configured LAPS implementation can be exploited, allowing unauthorized access to local administrator credentials. The detection relies on identifying PowerShell scripts that utilize the Get-AdComputer cmdlet and the ms-Mcs-AdmPwd property, indicative of attempts to retrieve LAPS-managed passwords. Successful exploitation can grant attackers local administrative privileges on targeted machines, facilitating lateral movement and further compromise within the environment.

Attack Chain

  1. The attacker gains initial access to a compromised account or system within the target domain.
  2. The attacker uses PowerShell to execute a script that queries Active Directory for computer objects.
  3. The script uses Get-AdComputer to retrieve computer objects.
  4. The script filters the results to find the ms-Mcs-AdmPwd attribute, which stores the LAPS password.
  5. The attacker retrieves the LAPS password for the target computer.
  6. The attacker uses the retrieved LAPS password to authenticate to the target computer.
  7. The attacker gains local administrator privileges on the target computer.
  8. The attacker uses the compromised system as a pivot for further lateral movement or data exfiltration.

Impact

A successful attack can lead to widespread compromise within the targeted environment. An attacker who obtains LAPS passwords can gain local administrator access to multiple machines, enabling lateral movement, data theft, and potentially the deployment of ransomware. The impact can range from data breaches and service disruptions to complete control over the organization’s IT infrastructure. The number of affected systems depends on the attacker’s persistence and the scope of the LAPS deployment.

Recommendation

  • Deploy the provided Sigma rule to detect PowerShell scripts querying AD for LAPS passwords via ms-Mcs-AdmPwd.
  • Investigate any alerts generated by the Sigma rule, focusing on the user and machine involved.
  • Review and harden LAPS configuration to ensure proper access controls are in place.
  • Monitor PowerShell script block logging (Event ID 4104) for suspicious activity related to Active Directory queries.
  • Implement robust access controls to prevent unauthorized access to LAPS data.

Detection coverage 2

Detect LAPS Password Gathering via PowerShell Script

high

Detects PowerShell scripts attempting to gather LAPS passwords via the ms-Mcs-AdmPwd property.

sigma tactics: credential_access techniques: T1003, T1552 sources: process_creation, windows

Detect LAPS Password Gathering via PowerShell Script Block Logging

high

Detects LAPS password gathering attempts using PowerShell Script Block Logging

sigma tactics: credential_access techniques: T1003, T1552 sources: powershell, windows

Detection queries are kept inside the platform. Get full rules →