Full Report
Context
Analysis Summary
# Tool/Technique: goLAPS
## Overview
goLAPS is a command-line tool written in Golang that replicates the functionality of pyLAPS, specifically designed to retrieve and set Local Administrator Password Solution (LAPS) passwords stored on a Domain Controller. The author developed it as an exercise to learn Golang.
## Technical Details
- Type: Tool
- Platform: Windows (Implied, as LAPS is a Windows domain feature)
- Capabilities: Retrieving LAPS passwords from a Domain Controller and setting LAPS passwords on target computers.
- First Seen: Research/development occurred before March 10, 2025 (SenseCon May 2024 context mentioned for inspiration).
## MITRE ATT&CK Mapping
*Note: As this tool directly manipulates credentials/configurations within Active Directory, the primary mappings relate to credential access and lateral movement precursor activities.*
- T1003 - OS Credential Dumping
- T1003.001 - LSASS Memory
- *Note: While goLAPS accesses AD attributes, not LSASS memory directly, its function is credential retrieval, which often falls under this umbrella in the context of AD administration tools.*
- T1119 - Accessing Data from Active Directory
## Functionality
### Core Capabilities
- **Get LAPS Password:** Retrieve the current LAPS password for specified computer accounts from the Domain Controller. Can optionally output results to a CSV file.
- **Set LAPS Password:** Set a new LAPS password on a target computer via the Domain Controller interface.
### Advanced Features
- Automatic binary generation upon push to the 'main' branch using CI/CD pipelines.
- Written as a native Windows executable (unlike pyLAPS, which is Python-based).
## Indicators of Compromise
- File Hashes: [Not provided in the text]
- File Names: `./golaps` (Executable name)
- Registry Keys: [Not provided in the text]
- Network Indicators: [Requires connection to Domain Controller (DC) for LDAP/Kerberos operations]
- Behavioral Indicators: Making LDAP queries to a Domain Controller to read or write `ms-Mcs-AdmPwd` attribute values.
## Associated Threat Actors
- Red Team operators (Used successfully in assessments mentioned by the author).
## Detection Methods
- Signature-based detection: Signatures against the compiled goLAPS binary (if hashes become public).
- Behavioral detection: Monitoring for anomalous (non-standard administrative tools) LDAP/Kerberos interactions with Domain Controllers originating from workstations or non-DC servers, specifically targeting `ms-Mcs-AdmPwd` attributes.
- YARA rules: [Not provided in the text]
## Mitigation Strategies
- Implement LAPS (if not already deployed) to ensure local administrator passwords are randomized.
- Strictly limit which accounts have permissions to read/write the LAPS password attribute (`ms-Mcs-AdmPwd`) in Active Directory.
- Monitor service account activity for tools that query AD attributes programmatically.
- Use security solutions to monitor for unsanctioned use of tools interacting with directory services.
## Related Tools/Techniques
- pyLAPS (Direct inspiration and functional equivalent in Python)
- Evilginx (Mentioned in the same context of infrastructure setup ideas)
- Cloud Development Kit for Terraform (CDKTF) (Used in the test lab setup)