LoFP / some legitimate administrative tasks and authorized tools use powershell to access laps passwords for maintenance and recovery. filter alerts to exclude approved administrative activities.

Techniques

• T1003
• T1552

Sample rules

Windows LAPS Password Gathering Via PowerShell Script

• source: splunk
• technicques:
  • T1552
  • T1003

Description

Detects attempts to gather LAPS passwords via PowerShell and the ms-Mcs-AdmPwd property. Microsoft LAPS (Local Administrator Password Solution) is a Windows native tool used to manage local Administrator accounts within an AD domain. To keep things simple, instead of requiring an administrator to manually set, rotate, and store the local Administrator passwords, LAPS will do this automatically while providing an easy interface for authorized users to access passwords for recovery and/or other admin-related tasks. The benefits to an organization here are obvious: automate and protect a well-known critical security challenge and free up IT resources on your team. However, the fact that LAPS has so much information means that it provides a potential avenue of attack for malicious actors looking to further compromise an environment. If LAPS isn’t properly locked down, an organization can inadvertently allow anybody to grab local Admin powers on a given machine.

Detection logic

`powershell`
EventID="4104"
ScriptBlockText="*Get-AdComputer*"
ScriptBlockText="*ms-Mcs-AdmPwd*"

| fillnull

| stats count min(_time) as firstTime
              max(_time) as lastTime
  by Computer EventID ScriptBlockText signature signature_id user_id vendor_product Guid
     Opcode Name Path ProcessID ScriptBlockId


| rename Computer as dest

| `security_content_ctime(firstTime)`

| `security_content_ctime(lastTime)`

| `windows_laps_password_gathering_via_powershell_script_filter`