2xxe

Share this post

2xxe
2xxe
Misc: LAPS Password Retrieval Logs via DS Access
Copy link
Facebook
Email
Notes
More

Misc: LAPS Password Retrieval Logs via DS Access

Jun 30, 2022

Share this post

2xxe
2xxe
Misc: LAPS Password Retrieval Logs via DS Access
Copy link
Facebook
Email
Notes
More
Share

LAPS password retrieval activity can be logged via directory service advanced auditing, specifically event ID 4662, after configuring the appropriate GPO and SACLs.

Scenario: a user with adequate permissions to retrieve the LAPS password for a computer account (“ARDENVALE” in this example) does so using PowerShell

retrieve LAPS password

To find the corresponding object access events, first resolve the LAPS AD property to its corresponding schema GUID

based on https://stackoverflow.com/a/51326601

Then query for 4662 events containing that GUID

example query using Elastic

Share this post

2xxe
2xxe
Misc: LAPS Password Retrieval Logs via DS Access
Copy link
Facebook
Email
Notes
More
Share

Discussion about this post

No posts

Ready for more?

© 2024 2xxe
Privacy ∙ Terms ∙ Collection notice
Start WritingGet the app
Substack is the home for great culture

Share

Copy link
Facebook
Email
Notes
More