OS Credential Dumping: LSA Secrets (T1003.004)

Tactic: Credential Access · Platforms: Windows

The interactive view maps 1 detection strategy, 3 mitigations, 10 threat groups, 9 software entries to this technique, alongside D3FEND countermeasures and data-component coverage.

Sub-technique of OS Credential Dumping (T1003).

Overview

Adversaries with SYSTEM access to a host may attempt to access Local Security Authority (LSA) secrets, which can contain a variety of different credential materials, such as credentials for service accounts. LSA secrets are stored in the registry at HKEY_LOCAL_MACHINE\SECURITY\Policy\Secrets. LSA secrets can also be dumped from memory.

Reg can be used to extract from the Registry. Mimikatz can be used to extract secrets from memory.

Explore