In Part 1 we explored how one could go about discovering and mapping the LAPS configuration in a domain. In this part, we’ll look at various ways LAPS can be abused for persistence purposes.
I suspect the majority of folk are familiar with the “Local Administrator Password Solution” (LAPS) from Microsoft. If not, the tl;dr is that it:
periodically changes the local admin account password stores the password in a extended attribute of the computer object in AD allows password read & reset permissions to be delegated to AD users/groups More detailed information can be found here, here and here.
The purpose of this post, is to put together a more complete end-to-end process for mapping out the LAPS configuration in a domain.