{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/products/laps/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud","LAPS"],"_cs_severities":["high"],"_cs_tags":["laps","credential-access","powershell","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Splunk"],"content_html":"\u003cp\u003eThis threat focuses on detecting malicious actors attempting to gather Local Administrator Password Solution (LAPS) passwords via PowerShell. Microsoft LAPS is used to manage local administrator accounts within an Active Directory (AD) domain, automating password rotation and storage. While beneficial for security, a poorly configured LAPS implementation can be exploited, allowing unauthorized access to local administrator credentials. The detection relies on identifying PowerShell scripts that utilize the \u003ccode\u003eGet-AdComputer\u003c/code\u003e cmdlet and the \u003ccode\u003ems-Mcs-AdmPwd\u003c/code\u003e property, indicative of attempts to retrieve LAPS-managed passwords. Successful exploitation can grant attackers local administrative privileges on targeted machines, facilitating lateral movement and further compromise within the environment.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to a compromised account or system within the target domain.\u003c/li\u003e\n\u003cli\u003eThe attacker uses PowerShell to execute a script that queries Active Directory for computer objects.\u003c/li\u003e\n\u003cli\u003eThe script uses \u003ccode\u003eGet-AdComputer\u003c/code\u003e to retrieve computer objects.\u003c/li\u003e\n\u003cli\u003eThe script filters the results to find the \u003ccode\u003ems-Mcs-AdmPwd\u003c/code\u003e attribute, which stores the LAPS password.\u003c/li\u003e\n\u003cli\u003eThe attacker retrieves the LAPS password for the target computer.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the retrieved LAPS password to authenticate to the target computer.\u003c/li\u003e\n\u003cli\u003eThe attacker gains local administrator privileges on the target computer.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the compromised system as a pivot for further lateral movement or data exfiltration.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack can lead to widespread compromise within the targeted environment. An attacker who obtains LAPS passwords can gain local administrator access to multiple machines, enabling lateral movement, data theft, and potentially the deployment of ransomware. The impact can range from data breaches and service disruptions to complete control over the organization\u0026rsquo;s IT infrastructure. The number of affected systems depends on the attacker\u0026rsquo;s persistence and the scope of the LAPS deployment.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule to detect PowerShell scripts querying AD for LAPS passwords via \u003ccode\u003ems-Mcs-AdmPwd\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on the user and machine involved.\u003c/li\u003e\n\u003cli\u003eReview and harden LAPS configuration to ensure proper access controls are in place.\u003c/li\u003e\n\u003cli\u003eMonitor PowerShell script block logging (Event ID 4104) for suspicious activity related to Active Directory queries.\u003c/li\u003e\n\u003cli\u003eImplement robust access controls to prevent unauthorized access to LAPS data.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-laps-password-gathering/","summary":"This brief outlines detection strategies for adversaries attempting to retrieve LAPS passwords using PowerShell and the 'ms-Mcs-AdmPwd' property, potentially leading to lateral movement and privilege escalation within a Windows domain.","title":"Detecting Windows LAPS Password Gathering via PowerShell","url":"https://feed.craftedsignal.io/briefs/2024-01-laps-password-gathering/"}],"language":"en","title":"CraftedSignal Threat Feed — LAPS","version":"https://jsonfeed.org/version/1.1"}