Adversaries with SYSTEM access to a host may attempt to access Local Security Authority (LSA) secrets, which can contain a variety of different credential materials, such as credentials for service accounts.(Citation: Passcape LSA Secrets)(Citation: Microsoft AD Admin Tier Model)(Citation: Tilbury Windows Credentials) LSA secrets are stored in the registry at <code>HKEY_LOCAL_MACHINE\SECURITY\Policy\Secrets</code>. LSA secrets can also be dumped from memory.(Citation: ired Dumping LSA Secrets)
Reg can be used to extract from the Registry. Mimikatz can be used to extract secrets from memory.(Citation: ired Dumping LSA Secrets)
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name |
|---|---|---|---|---|
| AC-02 | Account Management | Protects | T1003.004 | LSA Secrets |
| AC-03 | Access Enforcement | Protects | T1003.004 | LSA Secrets |
| AC-05 | Separation of Duties | Protects | T1003.004 | LSA Secrets |
| AC-06 | Least Privilege | Protects | T1003.004 | LSA Secrets |
| CA-07 | Continuous Monitoring | Protects | T1003.004 | LSA Secrets |
| CM-02 | Baseline Configuration | Protects | T1003.004 | LSA Secrets |
| CM-05 | Access Restrictions for Change | Protects | T1003.004 | LSA Secrets |
| CM-06 | Configuration Settings | Protects | T1003.004 | LSA Secrets |
| IA-02 | Identification and Authentication (organizational Users) | Protects | T1003.004 | LSA Secrets |
| IA-05 | Authenticator Management | Protects | T1003.004 | LSA Secrets |
| SC-28 | Protection of Information at Rest | Protects | T1003.004 | LSA Secrets |
| SC-39 | Process Isolation | Protects | T1003.004 | LSA Secrets |
| SI-03 | Malicious Code Protection | Protects | T1003.004 | LSA Secrets |
| SI-04 | System Monitoring | Protects | T1003.004 | LSA Secrets |