T1003.004SubTechniquecredential-accessagent-callable

T1003.004LSA Secrets

Sub-technique of T1003

Platforms: Windows

ATT&CK version: 14.1

What it is

Adversaries with SYSTEM access to a host may attempt to access Local Security Authority (LSA) secrets, which can contain a variety of different credential materials, such as credentials for service accounts.(Citation: Passcape LSA Secrets)(Citation: Microsoft AD Admin Tier Model)(Citation: Tilbury Windows Credentials) LSA secrets are stored in the registry at <code>HKEY_LOCAL_MACHINE\SECURITY\Policy\Secrets</code>. LSA secrets can also be dumped from memory.(Citation: ired Dumping LSA Secrets) [Reg](https://attack.mitre.org/software/S0075) can be used to extract from the Registry. [Mimikatz](https://attack.mitre.org/software/S0002) can be used to extract secrets from memory.(Citation: ired Dumping LSA Secrets)

ATT&CK tactics· 1

Credential Access

References

  1. https://attack.mitre.org/techniques/T1003/004
  2. https://www.passcape.com/index.php?section=docsys&cmd=details&id=23
  3. https://docs.microsoft.com/en-us/windows-server/identity/securing-privileged-access/securing-privileged-access-reference-material?redirectedfrom=MSDN
  4. https://www.first.org/resources/papers/conf2017/Windows-Credentials-Attacks-and-Mitigation-Techniques.pdf
  5. https://ired.team/offensive-security/credential-access-and-credential-dumping/dumping-lsa-secrets
  6. https://github.com/mattifestation/PowerSploit
Sourced from MITRE ATT&CK Enterprise v14.1. Curated and contextualized for EU compliance use cases by Adam Lundqvist, Founder at SQUR.
T1003.004: LSA Secrets | SQUR Knowledge Base