← Back to Explore
splunk_escuAnomaly
Windows LAPS Password Gathering Via PowerShell Script
Detects attempts to gather LAPS passwords via PowerShell and the ms-Mcs-AdmPwd property. Microsoft LAPS (Local Administrator Password Solution) is a Windows native tool used to manage local Administrator accounts within an AD domain. To keep things simple, instead of requiring an administrator to manually set, rotate, and store the local Administrator passwords, LAPS will do this automatically while providing an easy interface for authorized users to access passwords for recovery and/or other admin-related tasks. The benefits to an organization here are obvious: automate and protect a well-known critical security challenge and free up IT resources on your team. However, the fact that LAPS has so much information means that it provides a potential avenue of attack for malicious actors looking to further compromise an environment. If LAPS isn't properly locked down, an organization can inadvertently allow anybody to grab local Admin powers on a given machine.
Detection Query
`powershell`
EventID="4104"
ScriptBlockText="*Get-AdComputer*"
ScriptBlockText="*ms-Mcs-AdmPwd*"
| fillnull
| stats count min(_time) as firstTime
max(_time) as lastTime
by Computer EventID ScriptBlockText signature signature_id user_id vendor_product Guid
Opcode Name Path ProcessID ScriptBlockId
| rename Computer as dest
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_laps_password_gathering_via_powershell_script_filter`Author
Raven Tait, Splunk
Data Sources
Powershell Script Block Logging 4104
Raw Content
name: Windows LAPS Password Gathering Via PowerShell Script
id: 02b712b6-5996-4537-b72a-cad3cb1bb3b4
version: 2
creation_date: '2026-05-05'
modification_date: '2026-05-13'
author: Raven Tait, Splunk
status: production
type: Anomaly
description: |-
Detects attempts to gather LAPS passwords via PowerShell and the ms-Mcs-AdmPwd property.
Microsoft LAPS (Local Administrator Password Solution) is a Windows native tool used to manage local Administrator accounts within an AD domain.
To keep things simple, instead of requiring an administrator to manually set, rotate, and store the local Administrator passwords, LAPS will do this automatically while providing an easy interface for authorized users to access passwords for recovery and/or other admin-related tasks.
The benefits to an organization here are obvious: automate and protect a well-known critical security challenge and free up IT resources on your team.
However, the fact that LAPS has so much information means that it provides a potential avenue of attack for malicious actors looking to further compromise an environment.
If LAPS isn't properly locked down, an organization can inadvertently allow anybody to grab local Admin powers on a given machine.
data_source:
- Powershell Script Block Logging 4104
search: |-
`powershell`
EventID="4104"
ScriptBlockText="*Get-AdComputer*"
ScriptBlockText="*ms-Mcs-AdmPwd*"
| fillnull
| stats count min(_time) as firstTime
max(_time) as lastTime
by Computer EventID ScriptBlockText signature signature_id user_id vendor_product Guid
Opcode Name Path ProcessID ScriptBlockId
| rename Computer as dest
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_laps_password_gathering_via_powershell_script_filter`
how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.
known_false_positives: Some legitimate administrative tasks and authorized tools use PowerShell to access LAPS passwords for maintenance and recovery. Filter alerts to exclude approved administrative activities.
drilldown_searches:
- earliest_offset: $info_min_time$
latest_offset: $info_max_time$
name: View the detection results for - "$user$" and "$dest$"
search: '%original_detection_search% | search user = "$user$" dest = "$dest$"'
- name: View risk events for the last 7 days for - "$user$" and "$dest$"
search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
earliest_offset: 7d
latest_offset: "0"
intermediate_findings:
entities:
- field: dest
type: system
score: 20
message: Potential LAPS password gathering activity observed on $dest$ via script block $ScriptBlockId$.
analytic_story:
- Credential Dumping
- Active Directory Privilege Escalation
asset_type: Endpoint
mitre_attack_id:
- T1552
- T1003
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
category: endpoint
security_domain: endpoint
tests:
- name: True Positive Test
attack_data:
- data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1552/snapattack/snapattack.log
source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational
sourcetype: XmlWinEventLog
test_type: unit