Hunt for LAPS

CSE

ls C:\Program Files\LAPS\CSE

AdmPwd.dll

GPOs

powershell Get-DomainGPO | ? { $_.DisplayName -like "*laps*" } | select DisplayName, Name, GPCFileSysPath | fl

displayname              : LAPS
name                     : {2BE4337D-D231-4D23-A029-7B999885E659}

Computer objects where the ms-Mcs-AdmPwdExpirationTime property is not null

powershell Get-DomainComputer | ? { $_."ms-Mcs-AdmPwdExpirationTime" -ne $null } | select dnsHostName
       
wkstn-2.dev.cyberbotic.io
web.dev.cyberbotic.io    
sql-2.dev.cyberbotic.io  
wkstn-1.dev.cyberbotic.io

GPO, we can download the LAPS configuration from the gpcfilesyspath

ls \\dev.cyberbotic.io\SysVol\dev.cyberbotic.io\Policies\{2BE4337D-D231-4D23-A029-7B999885E659}\Machine

920b     fil     08/16/2022 12:22:23   Registry.pol

download \\dev.cyberbotic.io\SysVol\dev.cyberbotic.io\Policies\{2BE4337D-D231-4D23-A029-7B999885E659}\Machine\Registry.pol

Convert downloaded .pol file

This tells us that:

Password complexity is upper, lower and numbers. Password length is 14. Passwords are changed every 30 days. The LAPS managed account name is LapsAdmin. Password expiration protection is disabled.

Tooling

Last updated