Windows LAPS Credential Dump From Entra ID

Aug 12, 2024 · attack.t1098.005 ·

Detects when an account dumps the LAPS password from Entra ID.

Sigma rule (View on GitHub)

 1title: Windows LAPS Credential Dump From Entra ID
 2id: a4b25073-8947-489c-a8dd-93b41c23f26d
 3status: experimental
 4description: Detects when an account dumps the LAPS password from Entra ID.
 5references:
 6    - https://twitter.com/NathanMcNulty/status/1785051227568632263
 7    - https://www.cloudcoffee.ch/microsoft-365/configure-windows-laps-in-microsoft-intune/
 8    - https://techcommunity.microsoft.com/t5/microsoft-entra-blog/introducing-windows-local-administrator-password-solution-with/ba-p/1942487
 9author: andrewdanis
10date: 2024-06-26
11tags:
12    - attack.t1098.005
13logsource:
14    product: azure
15    service: auditlogs
16detection:
17    selection:
18        category: 'Device'
19        activityType|contains: 'Recover device local administrator password'
20        additionalDetails.additionalInfo|contains: 'Successfully recovered local credential by device id'
21    condition: selection
22falsepositives:
23    - Approved activity performed by an Administrator.
24level: high

References

x.com

Read More
Windows LAPS in Microsoft Intune - cloudcoffee.ch

Windows LAPS provides centralized, simple and secure management of local administrator passwords in Microsoft Intune.

Read More
Introducing Windows Local Administrator Password Solution with Microsoft Entra (Azure AD) | Microsoft Community Hub

Check out Windows Local Administrator Password Solution to keep your Windows devices in Azure AD secure!

Read More

Windows LAPS Credential Dump From Entra ID

Sigma rule (View on GitHub)

References

x.com

Windows LAPS in Microsoft Intune - cloudcoffee.ch

Introducing Windows Local Administrator Password Solution with Microsoft Entra (Azure AD) | Microsoft Community Hub