Laps — CraftedSignal Threat Feedhttps://feed.craftedsignal.io/tags/laps/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioWed, 03 Jan 2024 12:00:00 +0000Detecting Windows LAPS Password Gathering via PowerShellhttps://feed.craftedsignal.io/briefs/2024-01-laps-password-gathering/Wed, 03 Jan 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-laps-password-gathering/This brief outlines detection strategies for adversaries attempting to retrieve LAPS passwords using PowerShell and the 'ms-Mcs-AdmPwd' property, potentially leading to lateral movement and privilege escalation within a Windows domain.This threat focuses on detecting malicious actors attempting to gather Local Administrator Password Solution (LAPS) passwords via PowerShell. Microsoft LAPS is used to manage local administrator accounts within an Active Directory (AD) domain, automating password rotation and storage. While beneficial for security, a poorly configured LAPS implementation can be exploited, allowing unauthorized access to local administrator credentials. The detection relies on identifying PowerShell scripts that utilize the Get-AdComputer cmdlet and the ms-Mcs-AdmPwd property, indicative of attempts to retrieve LAPS-managed passwords. Successful exploitation can grant attackers local administrative privileges on targeted machines, facilitating lateral movement and further compromise within the environment.

Attack Chain

  1. The attacker gains initial access to a compromised account or system within the target domain.
  2. The attacker uses PowerShell to execute a script that queries Active Directory for computer objects.
  3. The script uses Get-AdComputer to retrieve computer objects.
  4. The script filters the results to find the ms-Mcs-AdmPwd attribute, which stores the LAPS password.
  5. The attacker retrieves the LAPS password for the target computer.
  6. The attacker uses the retrieved LAPS password to authenticate to the target computer.
  7. The attacker gains local administrator privileges on the target computer.
  8. The attacker uses the compromised system as a pivot for further lateral movement or data exfiltration.

Impact

A successful attack can lead to widespread compromise within the targeted environment. An attacker who obtains LAPS passwords can gain local administrator access to multiple machines, enabling lateral movement, data theft, and potentially the deployment of ransomware. The impact can range from data breaches and service disruptions to complete control over the organization’s IT infrastructure. The number of affected systems depends on the attacker’s persistence and the scope of the LAPS deployment.

Recommendation

  • Deploy the provided Sigma rule to detect PowerShell scripts querying AD for LAPS passwords via ms-Mcs-AdmPwd.
  • Investigate any alerts generated by the Sigma rule, focusing on the user and machine involved.
  • Review and harden LAPS configuration to ensure proper access controls are in place.
  • Monitor PowerShell script block logging (Event ID 4104) for suspicious activity related to Active Directory queries.
  • Implement robust access controls to prevent unauthorized access to LAPS data.
]]>highadvisorylapscredential-accesspowershellwindows