T1003.004 LSA Secrets Mappings

Adversaries with SYSTEM access to a host may attempt to access Local Security Authority (LSA) secrets, which can contain a variety of different credential materials, such as credentials for service accounts.(Citation: Passcape LSA Secrets)(Citation: Microsoft AD Admin Tier Model)(Citation: Tilbury Windows Credentials) LSA secrets are stored in the registry at <code>HKEY_LOCAL_MACHINE\SECURITY\Policy\Secrets</code>. LSA secrets can also be dumped from memory.(Citation: ired Dumping LSA Secrets)

Reg can be used to extract from the Registry. Mimikatz can be used to extract secrets from memory.(Citation: ired Dumping LSA Secrets)

View in MITRE ATT&CK®

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name
AC-2 Account Management Protects T1003.004 LSA Secrets
AC-3 Access Enforcement Protects T1003.004 LSA Secrets
AC-5 Separation of Duties Protects T1003.004 LSA Secrets
AC-6 Least Privilege Protects T1003.004 LSA Secrets
CA-7 Continuous Monitoring Protects T1003.004 LSA Secrets
CM-2 Baseline Configuration Protects T1003.004 LSA Secrets
CM-5 Access Restrictions for Change Protects T1003.004 LSA Secrets
CM-6 Configuration Settings Protects T1003.004 LSA Secrets
IA-2 Identification and Authentication (organizational Users) Protects T1003.004 LSA Secrets
IA-5 Authenticator Management Protects T1003.004 LSA Secrets
SC-28 Protection of Information at Rest Protects T1003.004 LSA Secrets
SC-39 Process Isolation Protects T1003.004 LSA Secrets
SI-3 Malicious Code Protection Protects T1003.004 LSA Secrets
SI-4 System Monitoring Protects T1003.004 LSA Secrets
action.malware.variety.Password dumper Password dumper (extract credential hashes) related-to T1003.004 OS Credential Dumping: LSA Secrets
action.malware.variety.RAM scraper RAM scraper or memory parser (capture data from volatile memory) related-to T1003.004 OS Credential Dumping: LSA Secrets
attribute.confidentiality.data_disclosure related-to T1003.004 OS Credential Dumping: LSA Secrets