The LAPS Takedown: How a Single Windows Feature Became Your Biggest Security Liability

Listen to this Post

Featured Image

Introduction:

Microsoft’s Local Administrator Password Solution (LAPS) was designed to secure local administrator accounts by managing unique, complex passwords. However, its very mechanism for providing security has become a prime target for attackers seeking lateral movement and privilege escalation across a Windows domain. Understanding how to exploit and defend LAPS is now a core competency for both red and blue teams.

Learning Objectives:

  • Understand the core components and attack surface of Microsoft LAPS.
  • Learn the techniques for enumerating and exploiting LAPS permissions to retrieve passwords.
  • Master the defensive configurations and monitoring strategies to protect LAPS from compromise.

You Should Know:

1. Enumerating LAPS Installation and Permissions

Before an attacker can target LAPS, they must confirm its presence and identify principals with read permissions. The `ms-Mcs-AdmPwd` attribute is the key.

Verified Commands:

 Check if LAPS is installed on a specific computer
Get-AdComputer -Identity "TARGET-PC" -Properties ms-Mcs-AdmPwd, ms-Mcs-AdmPwdExpirationTime

Find all computers with LAPS installed (PowerShell Active Directory Module)
Get-AdComputer -Filter  -Properties ms-Mcs-AdmPwd | Where-Object {$_.'ms-Mcs-AdmPwd' -ne $null}

Use the LAPS PowerShell module to check read permissions
Find-LAPSDelegatedGroups

Using the LAPS legacy 'admpwd.dll' for schema check
(Get-WmiObject -Namespace root\cimv2\security\microsofttpm -Class Win32_EncryptableVolume).__SERVER

Step-by-step guide:

The first step is reconnaissance. Using the PowerShell Active Directory module, an attacker (or an administrator assessing posture) queries Active Directory for computers that have the `ms-Mcs-AdmPwd` attribute populated. This confirms LAPS is in use. The `Find-LAPSDelegatedGroups` cmdlet, part of the official LAPS module, is then critical for identifying which users or groups have the “All Extended Rights” permission that allows them to read the password. An attacker who has compromised an account with this permission can then target that account for credential access.

2. Exploiting LAPS with Standard User Privileges

Once a user with read permissions is identified, retrieving the password is straightforward. The attacker leverages their compromised context.

Verified Commands:

 Method 1: Using the LAPS PowerShell Module (requires module installed)
Get-LapsADPassword -Identity "TARGET-PC"

Method 2: Using native ADSI searcher in PowerShell (no module required)
)
).FindOne().Properties['ms-mcs-admpwd']

Method 3: Using the 'LAPS.x86' or 'LAPS.x64' standalone executables
LAPS.x64.exe /getpassword:TARGET-PC

Step-by-step guide:

This phase involves data extraction. If the attacker’s current session has the necessary permissions, they can use any of the methods above. The most common is using the `Get-LapsADPassword` cmdlet, which will return the plaintext password and its expiration time. The ADSI searcher method is a powerful alternative that uses native .NET classes and leaves no trace of a LAPS-specific tool being run. The standalone executables are useful for off-the-shelf exploitation kits. The retrieved password grants local administrator access to the target computer, enabling lateral movement.

3. LAPS Exploitation with BloodHound and PowerView

Attackers using tool suites like BloodHound can automate the discovery of LAPS-readable accounts and the path to them.

Verified Commands:

 PowerView: Find computers where the current user has LAPS read rights
Get-DomainComputer | Get-DomainObjectAcl -ResolveGUIDs | Where-Object {
($<em>.ObjectAceType -eq 'ms-Mcs-AdmPwd') -and ($</em>.ActiveDirectoryRights -match 'ReadProperty')
}

BloodHound Cypher Query: Find shortest path to a LAPS-readable computer
MATCH p=shortestPath((u:User {name: "[email protected]"})-[r:HasLAPS1..]->(c:Computer))
RETURN p

Step-by-step guide:

BloodHound ingests ACL data to build a graph of relationships. The custom `HasLAPS` edge in BloodHound specifically maps the “Read Property” right on the `ms-Mcs-AdmPwd` attribute. By running the Cypher query, an attacker can visually see if their compromised user account (or any group they belong to) has a path to read LAPS passwords on any computers. This automates the planning of an attack path, showing exactly which computers can be owned and in what order.

4. Hardening LAPS Delegation Permissions

The primary defense is ensuring only highly privileged, dedicated accounts can read LAPS passwords. Principle of Least Privilege is paramount.

Verified Commands:

 Using the LAPS UI (LAPS.UI.x64) to view and modify permissions
 1. Open LAPS UI.
 2. Connect to the target OU.
 3. Right-click the OU -> "Set Delegation..."
 4. Remove any unnecessary principals and ensure only a dedicated "LAPS-Admins" group has "Read password" rights.

Using PowerShell to create a new group for LAPS administration
New-ADGroup -Name "LAPS-Admins" -GroupCategory Security -GroupScope Global -Description "Members can read LAPS passwords"

Step-by-step guide:

Defense begins with proper delegation. Instead of granting “Domain Admins” full control, create a separate security group like “LAPS-Admins.” Using the LAPS UI, navigate to the Organizational Unit (OU) containing your workstations. Open the delegation settings and remove any broad groups. Grant only the “LAPS-Admins” group the “Read password” permission. This containment ensures that a compromise of a standard user or even a junior admin account does not automatically lead to LAPS compromise.

5. Implementing LAPS with Group Policy

LAPS is managed and deployed via Group Policy. Correct configuration is non-negotiable.

Verified Commands:

 Check the local LAPS password on a client (local confirmation)
cmd /c "dir %windir%\System32\Groups\LAPS\"

PowerShell to check the GPO setting for password complexity
Get-GPResultantSetOfPolicy -ReportType Html -Path C:\temp\RSOP.html
 Then inspect the report for "Administrator Password Age" and "Password Settings"

Step-by-step guide:

After installing the LAPS client-side extension on your endpoints, you must configure the central policy. Create a new GPO and navigate to Computer Configuration -> Administrative Templates -> LAPS. Key settings to enable are “Enable local admin password management,” “Password Settings” (configure complexity and length), and “Name of administrator account to manage.” Link this GPO to the OUs containing your workstations. The `Get-GPResultantSetOfPolicy` cmdlet helps verify the effective policy on a target machine.

6. Advanced Monitoring and Detection for LAPS Abuse

Detecting LAPS exploitation requires monitoring for specific event IDs related to the reading of the sensitive attribute.

Verified Commands:

 PowerShell query for Domain Controller security logs (Event ID 4662)
Get-WinEvent -LogName Security -FilterXPath "[System[EventID=4662]]" | Where-Object {
$_.Message -like "ms-Mcs-AdmPwd"
}

KQL Query for Azure Sentinel/Microsoft Defender
SecurityEvent
| where EventID == 4662
| where Properties has "ms-Mcs-AdmPwd"
| project TimeGenerated, Account, Computer, IpAddress

Step-by-step guide:

Active Directory auditing must be configured to log successful accesses to the `ms-Mcs-AdmPwd` attribute. This generates Event ID 4662 on the Domain Controller. The key is to baseline normal activity. A single query from a non-privileged account is a high-fidelity alert. Setting up a scheduled PowerShell script or a SIEM correlation rule to alert on these events, especially when the requesting user is not a member of the dedicated “LAPS-Admins” group, is a critical detective control.

  1. The Evolution: Transitioning to Windows LAPS with Azure AD Integration
    Microsoft’s modern “Windows LAPS” supersedes the legacy solution, offering integration with Azure AD and enhanced features.

Verified Commands:

 Check if Windows LAPS is enabled via local policy
Get-LocalGroupMember -Group "Administrators"

PowerShell to check the new Windows LAPS registry settings
Get-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Policies\LAPS"

Azure AD PowerShell to check for a hybrid-joined device (requires module)
Get-MgDevice -Filter "startswith(DisplayName,'TARGET-PC')" -Property DisplayName, DeviceId, OperatingSystem

Step-by-step guide:

Windows LAPS uses a new set of policies and can back up passwords to either on-premises Active Directory or Azure AD. To implement, ensure devices are running a supported OS (Windows 10/11 22H2+ or Windows Server 2022+) and have the latest updates. Configure the new policy settings under Computer Configuration -> Administrative Templates -> System -> LAPS. For Azure AD integration, set the “Backup directory” to “Azure AD.” This provides a more secure, cloud-backed solution that is resilient to traditional on-premises attacks.

What Undercode Say:

  • LAPS is a double-edged sword; its centralization of powerful credentials makes it an irresistible target for attackers.
  • The shift to cloud-managed Windows LAPS is not just an upgrade but a necessary evolution to close inherent weaknesses in the legacy AD-based model.

The legacy LAPS solution fundamentally created a new, highly valuable attack surface within Active Directory. While it solved the problem of a shared local administrator password, it created a centralized repository of credentials protected only by AD ACLs—a system often rife with permission sprawl. The modern Windows LAPS solution mitigates this by leveraging Azure AD, a platform with stronger default security controls and monitoring. The key lesson is that any centralized credential management system must be designed with the assumption that the underlying directory will be probed for weaknesses. Defense, therefore, relies on fanatical adherence to least privilege, robust monitoring for anomalous access, and a proactive migration to more secure, cloud-integrated platforms.

Prediction:

The exploitation of LAPS will continue to be a primary technique in ransomware and state-sponsored attacks due to its prevalence and high payoff. However, the increasing adoption of Windows LAPS with Azure AD integration, combined with stricter zero-trust policies that de-emphasize persistent local admin rights, will gradually diminish its effectiveness. The future of endpoint security lies in password-less authentication, Just-in-Time (JIT) administrative access, and managed identities, rendering static local admin passwords—and the tools that manage them—obsolete.

🎯Let’s Practice For Free:

IT/Security Reporter URL:

Reported By: Anass Bouacha – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky