EXPLORE

← Back to Explore

T1003.004

LSA Secrets

Adversaries with SYSTEM access to a host may attempt to access Local Security Authority (LSA) secrets, which can contain a variety of different credential materials, such as credentials for service accounts.(Citation: Passcape LSA Secrets)(Citation: Microsoft AD Admin Tier Model)(Citation: Tilbury Windows Credentials) LSA secrets are stored in the registry at <code>HKEY_LOCAL_MACHINE\SECURITY\Policy\Secrets</code>. LSA secrets can also be dumped from memory.(Citation: ired Dumping LSA Secrets) ...

Windows

16

Detections

3

Sources

10

Threat Actors

BY SOURCE

11sigma4elastic1splunk_escu

PROCEDURES (9)

Registry5 detections

Auto-extracted: 5 detections for registry

Service2 detections

Auto-extracted: 2 detections for service

Api2 detections

Auto-extracted: 2 detections for api

Dump2 detections

Auto-extracted: 2 detections for dump

Mimikatz1 detections

Auto-extracted: 1 detections for mimikatz

Registry1 detections

Auto-extracted: 1 detections for registry

Dump1 detections

Auto-extracted: 1 detections for dump

Dump1 detections

Auto-extracted: 1 detections for dump

Mimikatz1 detections

Auto-extracted: 1 detections for mimikatz

THREAT ACTORS (10)

APT29 APT33 Dragonfly Ember Bear Ke3chang Leafminer menuPass MuddyWater OilRig Threat Group-3390

DETECTIONS (16)

Cred Dump Tools Dropped Files

Credential Acquisition via Registry Hive Dumping

Credential Dumping Tools Service Execution - Security

Credential Dumping Tools Service Execution - System

DPAPI Domain Backup Key Extraction

DPAPI Domain Master Key Backup Attempt

Dumping of Sensitive Hives Via Reg.EXE

HackTool - Credential Dumping Tools Named Pipe Created

HackTool - Mimikatz Execution

Possible Impacket SecretDump Remote Activity

Possible Impacket SecretDump Remote Activity - Zeek

PowerShell Invoke-NinjaCopy script

Sensitive Registry Hive Access via RegBack

Suspicious Remote Registry Access via SeBackupPrivilege

Windows LSA Secrets NoLMhash Registry