Skip to content

Commit a57eedb

Browse files
passtheticketpasstheticket
authored
Update README.md
1 parent 00dd6ed commit a57eedb

File tree

1 file changed

+18
-9
lines changed

1 file changed

+18
-9
lines changed

README.md

Lines changed: 18 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -4,15 +4,24 @@
44
If the ```ms-DS-Machine-Account-Quota``` attribute value is default, there is no delegation about domain join permissions to add computer to Active Directory , a domain user can add computer account to domain using the ```ms-ds-machine-account-quota``` attribute . So that domain user reads password (```ms-mcs-admpwd```) of local administrator user and uses the password for persistence. For example, user can edit registry settings or add own account to local administrators group after GPO which removes undefined users from local administrators group.
55

66
1. Add computer account to Active Directory:
7-
* ``PS C:\> Add-ComputerToDomainWithUserRights``
8-
9-
2. Read ms-mcs-admpwd attribute via PowerView.ps1 (if you are still a member of local administrators after updating GPO)
10-
* ``Get-LapsLocalAdminPassword -disableDefender``
11-
12-
3. Read ms-mcs-admpwd attribute via AdmPwd.PS (if you are not a member of local administrators after updating GPO) (You must install AdmPwd.PS in the step 1)
13-
* ``Get-LapsAdmPwd -LapsInstalled``
14-
15-
If the ms-DS-Machine-Account-Quota attribute value is default and there is no delegation about domain join permissions to add computer to Active Directory , a domain user can add computer account to domain using the ms-ds-machine-account-quota attribute . So that domain user reads password of local administrator user and uses the password for persistence. For example, user can edit registry settings or add own account to local administrators group after GPO which removes undefined users from local administrators group. Also, this is information disclosure vulnerability, user can add computer and read LAPS password so that he can obtain information about complexity and length of other Administrator passwords. Because, LAPS carries out similar password property for all computer accounts that group policy is applied.
7+
* ```powershell
8+
Add-ComputerToDomainWithUserRights
9+
```
10+
11+
2. Read password and determine password policy:
12+
* If you are still a member of local administrators after updating GPO.
13+
Read ms-mcs-admpwd attribute via PowerView.ps1:
14+
```powershell
15+
Get-LapsLocalAdminPassword -disableDefender
16+
```
17+
18+
* If you are not a member of local administrators after updating GPO. (AdmPwd.PS must be installed before the computer is added to domain)
19+
Read ms-mcs-admpwd attribute via AdmPwd.PS:
20+
```powershell
21+
Get-LapsAdmPwd -LapsInstalled
22+
```
23+
24+
Also, this is information disclosure vulnerability, user can add computer and read LAPS password so that he can obtain information about complexity and length of other Administrator passwords. Because, LAPS carries out similar password property for all computer accounts that group policy is applied.
1625
1726
1827
## Mitigation

0 commit comments

Comments
 (0)