2xxe

Share this post

Misc: LAPS Password Retrieval Logs via DS Access

2xxe.substack.com

Misc: LAPS Password Retrieval Logs via DS Access

Jun 30, 2022
Share this post

Misc: LAPS Password Retrieval Logs via DS Access

2xxe.substack.com

LAPS password retrieval activity can be logged via directory service advanced auditing, specifically event ID 4662, after configuring the appropriate GPO and SACLs.

Scenario: a user with adequate permissions to retrieve the LAPS password for a computer account (“ARDENVALE” in this example) does so using PowerShell

retrieve LAPS password

To find the corresponding object access events, first resolve the LAPS AD property to its corresponding schema GUID

based on https://stackoverflow.com/a/51326601

Then query for 4662 events containing that GUID

example query using Elastic

Share this post

Misc: LAPS Password Retrieval Logs via DS Access

2xxe.substack.com
Comments
TopNew

No posts

Ready for more?

© 2023 2xxe
Privacy ∙ Terms ∙ Collection notice
Start WritingGet the app
Substack is the home for great writing