From a597c07270c442ca4bc060321c873d7226b146e3 Mon Sep 17 00:00:00 2001
From: mb <mb@binary-offensive.com>
Date: Sun, 6 Jan 2019 14:25:50 +0100
Subject: [PATCH] Added a doc

---
 .../Dealing with LAPS using PowerView 3.0+.md | 21 +++++++++++++++++++
 1 file changed, 21 insertions(+)
 create mode 100644 red-teaming/Dealing with LAPS using PowerView 3.0+.md

diff --git a/red-teaming/Dealing with LAPS using PowerView 3.0+.md b/red-teaming/Dealing with LAPS using PowerView 3.0+.md
new file mode 100644
index 0000000..00b93a7
--- /dev/null
+++ b/red-teaming/Dealing with LAPS using PowerView 3.0+.md	
@@ -0,0 +1,21 @@
+### Dealing with LAPS using PowerView 3.0+
+
+**Finds all LAPS-enabled machines**
+
+```
+Get-DomainComputer -LDAPFilter '(ms-Mcs-AdmPwdExpirationtime=*)'
+```
+
+
+**Enumerates all users/groups who can view LAPS password on specified `LAPSCLIENT.test.local` machine**
+
+```
+Get-DomainComputer LAPSCLIENT.test.local | 
+	Select-Object -ExpandProperty distinguishedname | 
+	ForEach-Object { $_.substring($_.indexof('OU')) } | ForEach-Object { 
+		Get-DomainObjectAcl -ResolveGUIDs $_.ObjectDN 
+	} | Where-Object { 
+		($_.ObjectAceType -like 'ms-Mcs-AdmPwd') -and 
+		($_.ActiveDirectoryRights -match 'ReadProperty')
+	} | Select-Object -ExpandProperty SecurityIdentifier | Get-DomainObject
+```
\ No newline at end of file