Adversaries with SYSTEM access to a host may attempt to access Local Security Authority (LSA) secrets, which can contain a variety of different credential materials, such as credentials for service accounts.(Citation: Passcape LSA Secrets)(Citation: Microsoft AD Admin Tier Model)(Citation: Tilbury Windows Credentials) LSA secrets are stored in the registry at <code>HKEY_LOCAL_MACHINE\SECURITY\Policy\Secrets</code>. LSA secrets can also be dumped from memory.(Citation: ired Dumping LSA Secrets)
Reg can be used to extract from the Registry. Mimikatz can be used to extract secrets from memory.(Citation: ired Dumping LSA Secrets)
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| DE.CM-06.02 | Third-party access monitoring | Mitigates | T1003.004 | LSA Secrets |
Comments
This diagnostic statement protects against LSA Secrets through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems.
References
|
| PR.AA-01.01 | Identity and credential management | Mitigates | T1003.004 | LSA Secrets |
Comments
This diagnostic statement protects against LSA Secrets through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| CA-07 | Continuous Monitoring | mitigates | T1003.004 | LSA Secrets | |
| CM-06 | Configuration Settings | mitigates | T1003.004 | LSA Secrets | |
| CM-05 | Access Restrictions for Change | mitigates | T1003.004 | LSA Secrets | |
| IA-05 | Authenticator Management | mitigates | T1003.004 | LSA Secrets | |
| SC-28 | Protection of Information at Rest | mitigates | T1003.004 | LSA Secrets | |
| SC-39 | Process Isolation | mitigates | T1003.004 | LSA Secrets | |
| SI-03 | Malicious Code Protection | mitigates | T1003.004 | LSA Secrets | |
| CM-02 | Baseline Configuration | mitigates | T1003.004 | LSA Secrets | |
| IA-02 | Identification and Authentication (Organizational Users) | mitigates | T1003.004 | LSA Secrets | |
| SI-04 | System Monitoring | mitigates | T1003.004 | LSA Secrets | |
| AC-02 | Account Management | mitigates | T1003.004 | LSA Secrets | |
| AC-03 | Access Enforcement | mitigates | T1003.004 | LSA Secrets | |
| AC-05 | Separation of Duties | mitigates | T1003.004 | LSA Secrets | |
| AC-06 | Least Privilege | mitigates | T1003.004 | LSA Secrets |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| alerts_for_windows_machines | Alerts for Windows Machines | technique_scores | T1003.004 | LSA Secrets |
Comments
This control may detect when the registry is modified to allow logon credentials to be stored in clear text in LSA memory. This change allows a threat actor to gain plain text credentials from the host machine. The following alerts may be generated: "Detected enabling of the WDigest UseLogonCredential registry key".
References
|