Operator On The Wire
Join
← Back to Knowledge Base
BLUE TEAM / THREAT HUNT / ACTIVE DIRECTORY / CREDENTIAL ACCESS / SECRETS

LAPS

This note documents detection patterns related to LAPS Abuse within Active Directory environments.

Direct Indicators

LogEvent IDMeaningForensic ValueNotes
Security4662Operation performed on objectCriticalLAPS passwords are retrieved via LDAP reads of the ms-Mcs-AdmPwd attribute. Monitor object access events.
Security4624Successful logonHighAttacker may authenticate using retrieved local admin password shortly after retrieval.
Security4672Special privileges assignedHighLocal admin login on systems using LAPS credentials.
Security5140Network share accessedMediumPossible SMB access to systems using newly obtained local admin credentials.
Sysmon1Process creationMediumExecution of tools like PowerView or LAPSToolkit retrieving passwords.
Sysmon3Network connectionMediumLDAP queries to domain controllers retrieving LAPS attributes.

Indirect Indicators

IndicatorWhat To Look ForForensic ValueNotes
LDAP reads of ms-Mcs-AdmPwdAccount querying LAPS password attributeCriticalPrimary artifact of LAPS abuse.
Multiple LAPS queriesRapid retrieval of passwords for many computersHighPossible attacker enumerating credentials.
Authentication with local admin accountsLocal admin login shortly after password retrievalCriticalStrong indicator of credential abuse.
LDAP queries from workstationPassword queries from non-admin hostHighPotential attacker workstation.
Access to multiple systemsAuthentication attempts using retrieved passwordsHighIndicates lateral movement.

Common Tools

ToolUsage
PowerViewRetrieves LAPS passwords using LDAP queries.
LAPSToolkitPowerShell module specifically targeting LAPS enumeration.
CrackMapExecUses retrieved LAPS passwords for lateral movement.
ImpacketRemote execution using local admin credentials.
ADSI / LDAP toolsManual queries retrieving ms-Mcs-AdmPwd attribute.

Relevant Artifacts

  • Domain controller Security logs (4662)
  • LDAP query logs
  • Active Directory object metadata
  • Sysmon logs (1, 3)
  • EDR telemetry identifying credential enumeration tools
  • Authentication logs on target hosts
  • Prefetch artifacts showing execution of PowerView or LAPSToolkit
  • SMB and remote execution logs

MITRE ATT&CK References

  • T1003 Credential Dumping
  • T1552 Unsecured Credentials
  • T1078 Valid Accounts

Decision Tree

  1. Is the suspicious event present?
    • Identify object access events (4662) reading ms-Mcs-AdmPwd.
  2. What host generated the event?
    • Determine workstation performing LDAP query.
  3. Is the account expected to perform this action?
    • Investigate whether account normally retrieves LAPS passwords.
  4. Pivot:
    • Source host → inspect execution of PowerView or LAPSToolkit.
    • Target systems → check authentication logs for local admin usage.
    • Network → analyze SMB or remote execution activity.
  5. Confirm exploitation
    • Determine whether attacker retrieved LAPS password and used it for lateral movement.

Example Detection Templates

KQL

SecurityEvent
| where EventID == 4662
| where ObjectName contains "ms-Mcs-AdmPwd"

SecurityEvent
| where EventID == 4624
| where LogonType == 3

EQL

any where event.code == "4662"

Sigma

title: Suspicious LAPS Password Access
id: laps-abuse-detection
status: experimental
description: Detects LDAP reads of LAPS password attribute
logsource:
  product: windows
  service: security
detection:
  selection:
    EventID: 4662
    ObjectName|contains: ms-Mcs-AdmPwd
  condition: selection
fields:
  - SubjectUserName
  - ObjectName
falsepositives:
  - Legitimate administrators retrieving LAPS passwords
level: high
tags:
  - attack.credential_access
  - attack.t1552

Mitigation & Hardening

Control AreaMitigationEffectivenessNotes
Privilege reviewRestrict who can read LAPS attributesCriticalPrevents unauthorized password retrieval.
MonitoringAlert on reads of ms-Mcs-AdmPwd attributeCriticalPrimary detection strategy.
Least privilegeLimit accounts allowed to query LAPS passwordsHighReduces attack surface.
Network monitoringMonitor lateral movement using local admin accountsHighDetects abuse after password retrieval.
Password rotationEnsure LAPS password rotation policies enforcedMediumLimits usefulness of stolen credentials.