AD-LAPSCredential Access

Read LAPS Password

Read ms-Mcs-AdmPwd (or msLAPS-Password) on a computer object you have READ rights to.

§ Where this technique fits

AD-LAPS is catalogued under the Credential Access tactic of the offensive-security kill-chain. It appears in 1 approved dossier in the registry, typically at step 3 on average.

§ Dossiers chaining this technique

LAPS read → local admin on every endpoint
A delegated 'helpdesk' group gains read access to ms-Mcs-AdmPwd. Compromising any member of that group cascades to local admin on every LAPS-managed machine.
step 3 / 5

§ What commonly comes next

01
Windows Remote Management
T1021.006 · Lateral Movement
seen 1×

§ Where this technique fits

§ Dossiers chaining this technique

LAPS read → local admin on every endpoint

§ What commonly comes next