Detects adversary activity aimed at accessing LSA Secrets, including registry key export of HKEY_LOCAL_MACHINE\SECURITY\Policy\Secrets or memory scraping via tools such as Mimikatz or PowerSploit's Invoke-Mimikatz.
| Data Component | Name | Channel |
|---|---|---|
| File Modification (DC0061) | WinEventLog:Security | EventCode=4663 |
| Process Creation (DC0032) | WinEventLog:Sysmon | EventCode=1 |
| Process Access (DC0035) | WinEventLog:Sysmon | EventCode=10 |
| Module Load (DC0016) | WinEventLog:Sysmon | EventCode=7 |
| Field | Description |
|---|---|
| TargetObject | Target registry paths like HKLM\SECURITY\Policy\Secrets or variants can be tuned depending on OS version or registry redirection settings. |
| ImageLoaded | Module names such as `lsasrv.dll`, `sechost.dll`, or suspicious DLLs loaded by user processes may require tuning for known-good service operations. |
| AccessMask | Tuning based on whether processes are using specific sensitive access rights (e.g., 0x2 or 0x4). |
| TimeWindow | Temporal window between registry access and command-line tool execution. |