Skip to main content
Applies to BloodHound Enterprise and CE For systems using legacy LAPS, the following AD computer object properties are relevant:
  • ms-Mcs-AdmPwd: The plaintext LAPS password
  • ms-Mcs-AdmPwdExpirationTime: The LAPS password expiration time
For systems using Windows LAPS (2023 edition), the following AD computer object properties are relevant:
  • msLAPS-Password: The plaintext LAPS password
  • msLAPS-PasswordExpirationTime: The LAPS password expiration time
  • msLAPS-EncryptedPassword: The encrypted LAPS password
  • msLAPS-EncryptedPasswordHistory: The encrypted LAPS password history
  • msLAPS-EncryptedDSRMPassword: The encrypted Directory Services Restore Mode (DSRM) password
  • msLAPS-EncryptedDSRMPasswordHistory: The encrypted DSRM password history

Abuse Info

 Plaintext attributes can be read using a simple LDAP client. For example, with PowerView: 
Get-DomainComputer "MachineName" -Properties "cn","ms-mcs-admpwd","ms-mcs-admpwdexpirationtime"
 On Linux, using bloodyAD: 
bloodyAD --host $DC_IP -d $DOMAIN -u $USER -p $PASSWORD get search --filter '(ms-mcs-admpwdexpirationtime=*)' --attr ms-mcs-admpwd,ms-mcs-admpwdexpirationtime
 Encrypted attributes can be decrypted using Microsoft’s LAPS PowerShell module. For example: 
Get-LapsADPassword "WIN10" -AsPlainText
The encrypted attributes can also be retrieved and decrypted using lapsv2decrypt (dotnet or BOF).

Opsec Considerations

Reading properties from LDAP is extremely low risk, and can only be found using monitoring of LDAP queries.

Edge Schema

Source: User, Group, Computer
Destination: Computer
Traversable: Yes

References

I