Detection: Windows LAPS Password Gathering Via PowerShell Script

Description

Detects attempts to gather LAPS passwords via PowerShell and the ms-Mcs-AdmPwd property. Microsoft LAPS (Local Administrator Password Solution) is a Windows native tool used to manage local Administrator accounts within an AD domain. To keep things simple, instead of requiring an administrator to manually set, rotate, and store the local Administrator passwords, LAPS will do this automatically while providing an easy interface for authorized users to access passwords for recovery and/or other admin-related tasks. The benefits to an organization here are obvious: automate and protect a well-known critical security challenge and free up IT resources on your team. However, the fact that LAPS has so much information means that it provides a potential avenue of attack for malicious actors looking to further compromise an environment. If LAPS isn't properly locked down, an organization can inadvertently allow anybody to grab local Admin powers on a given machine.

Search

 1`powershell`
 2EventID="4104"
 3ScriptBlockText="*Get-AdComputer*"
 4ScriptBlockText="*ms-Mcs-AdmPwd*"
 5
 6| fillnull
 7
 8| stats count min(_time) as firstTime
 9              max(_time) as lastTime
10  by Computer EventID ScriptBlockText signature signature_id user_id vendor_product Guid
11     Opcode Name Path ProcessID ScriptBlockId
12
13
14| rename Computer as dest
15
16| `security_content_ctime(firstTime)`
17
18| `security_content_ctime(lastTime)`
19
20| `windows_laps_password_gathering_via_powershell_script_filter`

Data Source

Name	Platform	Sourcetype	Source
Powershell Script Block Logging 4104	Windows	'XmlWinEventLog'	'XmlWinEventLog:Microsoft-Windows-PowerShell/Operational'

Macros Used

Annotations

Default Configuration

This detection is configured by default in Splunk Enterprise Security to run with the following settings:

Implementation

The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the Processes node of the Endpoint data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.

Known False Positives

Some legitimate administrative tasks and authorized tools use PowerShell to access LAPS passwords for maintenance and recovery. Filter alerts to exclude approved administrative activities.

Associated Analytic Story

• Active Directory Privilege Escalation

• Credential Dumping

Risk Based Analytics (RBA)

Risk Message:

Potential LAPS password gathering activity observed on $dest$ via script block $ScriptBlockId$.

Detection Testing

Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range

Source: GitHub | Version: 1