ms-DS-Machine-Account-Quota
is defined as “The number of computer accounts that a user is allowed to create in a domain." The ms-DS-Machine-Account-Quota
is attribute that defines number of computer accounts could be joined to domain by domain user. ms-Mcs-AdmPwd
is attribute that stores the clear-text local Administrator password for the computer object. It can be set on each computer after LAPS installation for domain environment. “The ‘Local Administrator Password Solution’ (LAPS) provides management of local account passwords of domain joined computers. Passwords are stored in Active Directory (AD) and protected by ACL, so only eligible users can read it or request its reset.” If the ms-DS-Machine-Account-Quota
attribute is default and there is no delegation about domain join permissions to add computer to Active Directory , a domain user can add computer account to active directory domain using the ms-ds-machine-account-quota
attribute which is set “10” value as default. So that user can read ms-Mcs-AdmPwd
attribute value by obtaining Owner Rights on computer that is added by himself even if LAPS configuration is completed correctly . All extended rights
over the computer account even if All extended rights permissions are disabled on Organizational Unit and all descendant objects during LAPS configuration process.(Microsoft LAPS_OperationsGuide.docx document) So that domain user reads password of local administrator user and uses the password for persistence. The user can bypass GPO restrictions obtaining password of local admin user. For example, user can edit registry settings or add own account to local administrators group after GPO which removes undefined users from local administrators group. Also attacker can obtain information about complexity of Administrator passwords and create wordlist according to complexity policies. Then attacker can conduct bruteforce attack against to Administrator user that was not locked never.mkandemir
is a domain user that has privilege of adding computer account to domain offensive.local
up to 10 default (ms-ds-machine-account-quota
) and there is no delegation about domain join permissions to add computer to Active Directory. Laps configuration is applied for DomainComputers
organizational unit that includes adding new computer accounts. According to below configuration , only system and members of Domain Admins group reads local admin passwords so mkandemir domain user must not read local Administrator password (ms-Mcs-AdmPwd) in the teory. Configuration is applied according to Microsoft “LAPS_TechnicalSpecification” Word document. In Stage 6.2, it says “Delegation of permissions on computers accounts is performed on OU (OUs) that contain computer accounts in scope of the solution.”DomainComputers
are following before a computer is added to organizational unit by mkandemir
user.offensive\mkandemir
user adds computer (DESKTOP-G8E7GKM
) and obtains local Administrator rights before computer is rebooted. Basic powershell script could be used for joining domain and adding account to local administrators group. DESKTOP-G8E7GKM
computer as offensive\mkandemir
domain user.mkandemir
user can read ms-Mcs-AdmPwd
attribute using Get-NetComputer
cmdlet from PowerView.ps1
. However PowerView.ps1
is detected by Windows Defender that must be disabled so local admin right is required. The user can disable Defender and read local administrator password even if All extended rights
permission is removed from users and groups before computer adding process. Above LAPS configuration defines Domain Admins
group is authorized for reading local admin passwords but mkandemir user can gain All Extended Rights
over DESKTOP-G8E7GKM
object that added by himself. This is possible because ms-DS-Machine-Account-Quota
attribute value is 10
defaultly.mkandemir
user does not remains local admin after computer is rebooted. To read ms-mcs-admpwd attribute value, user must install LAPS management Powershell module (AdmPwd.PS
) before adding computer to Active Directory. So that password could be read using AdmPwd.PS module.ms-DS-Machine-Account-Quota
attribute value is default and there is no delegation about domain join permissions to add computer to Active Directory , a domain user can add computer account to domain using the ms-ds-machine-account-quota
attribute . So that domain user reads password of local administrator user and uses the password for persistence. For example, user can edit registry settings or add own account to local administrators group after GPO which removes undefined users from local administrators group. Also, this is information disclosure vulnerability,(defining complexity is possible with GPRegistryPolicy) user can add computer and read LAPS password so that he can obtain information about complexity and length of other Administrator passwords. Because, LAPS carries out similar password property for all computer accounts that group policy is applied.