Working with the BloodHound API

This privilege allows a principal to read the LAPS password from a computer.

For systems using legacy LAPS, the following AD computer object properties are relevant:

• ms-Mcs-AdmPwd: The plaintext LAPS password
• ms-Mcs-AdmPwdExpirationTime: The LAPS password expiration time

For systems using Windows LAPS (2023 edition), the following AD computer object properties are relevant:

• msLAPS-Password: The plaintext LAPS password
• msLAPS-PasswordExpirationTime: The LAPS password expiration time
• msLAPS-EncryptedPassword: The encrypted LAPS password
• msLAPS-EncryptedPasswordHistory: The encrypted LAPS password history
• msLAPS-EncryptedDSRMPassword: The encrypted Directory Services Restore Mode (DSRM) password
• msLAPS-EncryptedDSRMPasswordHistory: The encrypted DSRM password history

​

Abuse Info

 Plaintext attributes can be read using a simple LDAP client. For example, with PowerView:

Get-DomainComputer "MachineName" -Properties "cn","ms-mcs-admpwd","ms-mcs-admpwdexpirationtime"

 On Linux, using bloodyAD:

bloodyAD --host $DC_IP -d $DOMAIN -u $USER -p $PASSWORD get search --filter '(ms-mcs-admpwdexpirationtime=*)' --attr ms-mcs-admpwd,ms-mcs-admpwdexpirationtime

 Encrypted attributes can be decrypted using Microsoft’s LAPS PowerShell module. For example:

Get-LapsADPassword "WIN10" -AsPlainText

The encrypted attributes can also be retrieved and decrypted using lapsv2decrypt (dotnet or BOF).

​

Opsec Considerations

Reading properties from LDAP is extremely low risk, and can only be found using monitoring of LDAP queries.

​

References

• https://www.specterops.io/assets/resources/an_ace_up_the_sleeve.pdf
• https://adsecurity.org/?p=3164
• https://learn.microsoft.com/en-us/powershell/module/laps/get-lapsadpassword
• https://github.com/xpn/RandomTSScripts/tree/master/lapsv2decrypt
• https://github.com/CravateRouge/bloodyAD