Keypoints
- LSA secrets are stored under HKEY_LOCAL_MACHINESECURITYPolicySecrets and may include service account credentials.
- Adversaries can dump LSA secrets from memory using tools like Mimikatz to retrieve plaintext or hashed credentials.
- Common tools: Reg.exe extracts registry secrets; Mimikatz and custom memory parsers target in-memory LSA data.
- Detection focuses on monitoring command-line arguments, process creation, and registry key access to the SECURITY hive.
- Mitigations include restricting SYSTEM-level access, enabling advanced logging, and monitoring for known credential-dumping tool signatures.
Description:
- Like a burglar finding a hidden safe behind wallpaper, attackers with SYSTEM rights can open LSA secrets to steal stored credentials that unlock many parts of a Windows environment.
- Adversaries with SYSTEM access access the SECURITY registry hive or process memory to extract LSA secrets, enabling them to retrieve service account credentials or other secrets for lateral movement, persistence, and privilege escalation.
Detection:
- Monitor process creation for known tools (mimikatz, reg.exe) and suspicious utilities. Log and alert on execution from uncommon locations or by unusual parent processes.
- Capture and analyze command-line arguments. Look for flags used to dump registry hives or extract secrets (for example, reg.exe save or Mimikatz commands).
- Audit and alert on access to the SECURITY registry hive and PolicySecrets keys. Use Windows Audit Registry and Sysmon Event IDs for registry reads/queries.
- Enable and collect LSASS process memory access events. Monitor for tools using ReadProcessMemory, CreateRemoteThread, or Minidump creation against lsass.exe via Sysmon or EDR telemetry.
- Use EDR/antivirus to detect Mimikatz signatures and behaviors. Deploy behavior-based detection for credential-dumping patterns rather than only file hashes.
- Correlate suspicious remote administration sessions and newly created service accounts with registry or memory access to reduce false positives.
- Harden logging: enable PowerShell module logging, script block logging, and detailed process auditing. Regularly review and tune alerts to minimize noise and capture real incidents.
Tactics:
Credential Access
Platforms:
Windows
Data Sources:
Command: Command Execution, Windows Registry: Windows Registry Key Access
Relationship Citations:
(Citation: US-CERT TA18-074A),(Citation: Core Security Impacket),(Citation: CrowdStrike IceApple May 2022),(Citation: FireEye APT35 2018),(Citation: NCSC Joint Report Public Tools),(Citation: Directory Services Internals DPAPI Backup Keys Oct 2015),(Citation: Mandiant APT29 Eye Spy Email Nov 22),(Citation: FireEye APT34 July 2019),(Citation: GitHub Mimikatz lsadump Module),(Citation: F-Secure The Dukes),(Citation: GitHub Pupy),(Citation: CISA GRU29155 2024),(Citation: AADInternals Documentation),(Citation: FireEye APT33 Guardrail),(Citation: Symantec Leafminer July 2018),(Citation: Symantec MuddyWater Dec 2018),(Citation: FireEye APT34 Webinar Dec 2017),(Citation: Deply Mimikatz),(Citation: SecureWorks BRONZE UNION June 2017),(Citation: Impacket Tools),(Citation: Symantec Elfin Mar 2019),(Citation: Dell TG-3390),(Citation: Unit 42 MuddyWater Nov 2017),(Citation: NCC Group APT15 Alive and Strong),(Citation: CME Github September 2018),(Citation: Mandiant Operation Ke3chang November 2014),(Citation: PWC Cloud Hopper Technical Annex April 2017),(Citation: Github AD-Pentest-Script),(Citation: TrueSec Gsecdump),(Citation: Unit42 OilRig Playbook 2023),(Citation: GitHub LaZagne Dec 2018),(Citation: Tilbury Windows Credentials)