Adversaries with SYSTEM access to a host may attempt to access Local Security Authority (LSA) secrets, which can contain a variety of different credential materials, such as credentials for service accounts.(Citation: Passcape LSA Secrets)(Citation: Microsoft AD Admin Tier Model)(Citation: Tilbury Windows Credentials) LSA secrets are stored in the registry at <code>HKEY_LOCAL_MACHINE\SECURITY\Policy\Secrets</code>. LSA secrets can also be dumped from memory.(Citation: ired Dumping LSA Secrets)
Reg can be used to extract from the Registry. Mimikatz can be used to extract secrets from memory.(Citation: ired Dumping LSA Secrets)
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| AC-2 | Account Management | Protects | T1003.004 | LSA Secrets | |
| AC-3 | Access Enforcement | Protects | T1003.004 | LSA Secrets | |
| AC-5 | Separation of Duties | Protects | T1003.004 | LSA Secrets | |
| AC-6 | Least Privilege | Protects | T1003.004 | LSA Secrets | |
| CA-7 | Continuous Monitoring | Protects | T1003.004 | LSA Secrets | |
| CM-2 | Baseline Configuration | Protects | T1003.004 | LSA Secrets | |
| CM-5 | Access Restrictions for Change | Protects | T1003.004 | LSA Secrets | |
| CM-6 | Configuration Settings | Protects | T1003.004 | LSA Secrets | |
| IA-2 | Identification and Authentication (organizational Users) | Protects | T1003.004 | LSA Secrets | |
| IA-5 | Authenticator Management | Protects | T1003.004 | LSA Secrets | |
| SC-28 | Protection of Information at Rest | Protects | T1003.004 | LSA Secrets | |
| SC-39 | Process Isolation | Protects | T1003.004 | LSA Secrets | |
| SI-3 | Malicious Code Protection | Protects | T1003.004 | LSA Secrets | |
| SI-4 | System Monitoring | Protects | T1003.004 | LSA Secrets |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| alerts_for_windows_machines | Alerts for Windows Machines | technique_scores | T1003.004 | LSA Secrets |
Comments
This control may detect when the registry is modified to allow logon credentials to be stored in clear text in LSA memory. This change allows a threat actor to gain plain text credentials from the host machine. The following alerts may be generated: "Detected enabling of the WDigest UseLogonCredential registry key".
References
|