T1003.004: LSA Secrets
Adversaries with SYSTEM access to a host may attempt to access Local Security Authority (LSA) secrets, which can contain a variety of different credential materials, such as credentials for service accounts. LSA secrets are stored in the registry at HKEY_LOCAL_MACHINE\SECURITY\Policy\Secrets. LSA secrets can also be dumped from memory.
Reg can be used to extract from the Registry. Mimikatz can be used to extract secrets from memory.
Positive Technologies products that cover the technique
MaxPatrol SIEM knowledge base
active_directory_attacks: PT-CR-2542: RemoteKrbRelay_Usage: A user who is not the connection initiator was authenticated by Kerberos. This may indicate the use of the RemoteKrbRelay utility that allows you to remotely trigger and relay Kerberos authentication in order to gain access to a service with the privilege level of the target account using the CertifiedDCOM and SilverPotato techniques. mitre_attck_cred_access: PT-CR-566: LSA_SSP_Change: The values of the registry keys that contain paths of Security Support Provider (SSP) libraries are changed mitre_attck_cred_access: PT-CR-311: Remote_Password_Dump: Remote access to SAMR, WINREG, SVCCTL, and C:\Windows\system32 within 30 seconds of user authentication mitre_attck_cred_access: PT-CR-2484: SharpSecretsdump_Usage: Signs of the C# SharpSecretsdump utility that is an interpretation of the secretsdump.py utility from Impacket. The utility can only be run locally on hosts without using the Remote Registry service (unlike secretsdump.py), which allows an attacker to bypass existing firewall, EDR, IDS, and other protection system rules and extract secrets from a compromised host. mitre_attck_cred_access: PT-CR-301: Credential_Dump_In_Local_Registry: Possible dumping of user credentials is detected hacking_tools: PT-CR-2237: Go_Secdump_Activity: The go-secdump utility was used, which is a tool built to remotely extract hashes from the registry hives without any remote agent and without touching disk hacking_tools: PT-CR-2118: AdPEAS_Usage: The adPEAS script for domain reconnaissance was started hacking_tools: PT-CR-585: Impacket_Secretsdump: Use of Impacket Secretsdump is detected hacking_tools: PT-CR-758: Lazagne_Usage: Use of the LaZagne tool to dump credentials is detected
Detection
| ID | DS0024 | Data source and component | Windows Registry: Windows Registry Key Access | Description | Monitor for the LSA secrets are stored in the registry at |
|---|
| ID | DS0017 | Data source and component | Command: Command Execution | Description | Monitor executed commands and arguments that may access to a host may attempt to access Local Security Authority (LSA) secrets. Remote access tools may contain built-in features or incorporate existing tools like Mimikatz. PowerShell scripts also exist that contain credential dumping functionality, such as PowerSploit's Invoke-Mimikatz module, which may require additional logging features to be configured in the operating system to collect necessary information for analysis. |
|---|
Mitigation
| ID | M1017 | Name | User Training | Description | Limit credential overlap across accounts and systems by training users and administrators not to use the same password for multiple accounts. |
|---|
| ID | M1027 | Name | Password Policies | Description | Ensure that local administrator accounts have complex, unique passwords across all systems on the network. |
|---|
| ID | M1026 | Name | Privileged Account Management | Description | Follow best practices for design and administration of an enterprise network to limit privileged account use across administrative tiers. |
|---|