LAPS read → local admin on every endpoint
A delegated 'helpdesk' group gains read access to ms-Mcs-AdmPwd. Compromising any member of that group cascades to local admin on every LAPS-managed machine.
§ Context
Assumed environment: LAPS is deployed and at least one group with Read rights on ms-Mcs-AdmPwd (legacy LAPS) or msLAPS-Password (Windows LAPS) is reachable.
§ Steps
- 01Dump LSASS for higher-priv tokensCredential AccessT1003.001— LSASS Memory
- 02Compromise a LAPS-reader principalInitial AccessT1078— Valid Accounts
- 03PSExec/WinRM as local adminLateral MovementT1021.006— Windows Remote Management
- 04Enumerate LAPS readersDiscoveryAD-BLOODHOUND— BloodHound / SharpHound Enumeration
BloodHound 'ReadLAPSPassword' edge.
- 05Read ms-Mcs-AdmPwd / msLAPS-PasswordCredential AccessAD-LAPS— Read LAPS Password
nxc ldap -M laps / pyLAPS.py
§ References
- T1003.001LSASS Memory
- T1078Valid Accounts
- T1021.006Windows Remote Management
§ Frequently asked
- What is the "LAPS read → local admin on every endpoint" attack path?
- A delegated 'helpdesk' group gains read access to ms-Mcs-AdmPwd. Compromising any member of that group cascades to local admin on every LAPS-managed machine. It chains 5 steps drawn from real-world offensive-security techniques.
- What starting position does this attack require?
- The first step is Dump LSASS for higher-priv tokens (T1003.001) — a credential access primitive. Assumed environment: LAPS is deployed and at least one group with Read rights on ms-Mcs-AdmPwd (legacy LAPS) or msLAPS-Password (Windows LAPS) is reachable.
- What is the final impact of this kill-chain?
- The final step lands on Read ms-Mcs-AdmPwd / msLAPS-Password (AD-LAPS), which falls under Credential Access. From here, an operator typically pivots into post-exploitation or maintains persistence.
- How can defenders detect or prevent this attack?
- Detection and prevention vary per step. Refer to each linked MITRE ATT&CK entry under "References" — every technique on that page lists defensive controls, detection telemetry, and known threat-actor usage.
§ Related dossiers
- Shared techniques2
Leaked legacy VPN credential → ransomware (Colonial-class)
A dormant VPN account whose password appeared in a third-party breach is still active, has no MFA enforced. Sign in, recon AD, deploy ransomware across the estate.
- Shared techniques2
Citrix Bleed → steal authenticated session → MFA bypass
Send a long Host header to a vulnerable NetScaler — memory disclosure leaks an authenticated session token already past MFA. Replay the token to log into the corporate VPN.
- Shared techniques2
Unconstrained delegation → Capture DC TGT → DCSync
Compromise a host with TRUSTED_FOR_DELEGATION, coerce a DC to authenticate to it, harvest the DC's TGT from its LSASS, then DCSync.
- Shared techniques2
WriteDACL on a privileged user → ForceChangePassword → takeover
Discover a misconfigured ACL that lets a low-priv user modify the ACL of a Tier-0 account, grant ForceChangePassword to themselves, reset the victim's password, and log in.
- Shared techniques2
GenericWrite on Domain Admins → AddMember → DA
A misconfigured 'member' attribute write on a privileged group lets the attacker silently add themselves as a Domain Admin.
- Shared techniques2
GPO write rights → Immediate scheduled task → SYSTEM on OU
GenericWrite on a linked GPO (or write rights to its SYSVOL folder) lets you drop a ScheduledTasks.xml that fires as SYSTEM on every machine in the OU at the next gpupdate.