Adversaries with SYSTEM access to a host may attempt to access Local Security Authority (LSA) secrets, which can contain a variety of different credential materials, such as credentials for service accounts. LSA secrets are stored in the registry at
HKEY_LOCAL_MACHINE\SECURITY\Policy\Secrets. LSA secrets can also be dumped from memory.
IceApple's Credential Dumper module can dump LSA secrets from registry keys, including:
Mimikatz performs credential dumping to obtain account and password information useful in gaining access to additional systems and enterprise network resources. It contains functionality to acquire information about credentials in many ways, including from the LSA.
Ensure that local administrator accounts have complex, unique passwords across all systems on the network.
|M1026||Privileged Account Management||
Follow best practices for design and administration of an enterprise network to limit privileged account use across administrative tiers.
Limit credential overlap across accounts and systems by training users and administrators not to use the same password for multiple accounts.
|ID||Data Source||Data Component||Detects|
Monitor executed commands and arguments that may access to a host may attempt to access Local Security Authority (LSA) secrets. Remote access tools may contain built-in features or incorporate existing tools like Mimikatz. PowerShell scripts also exist that contain credential dumping functionality, such as PowerSploit's Invoke-Mimikatz module, which may require additional logging features to be configured in the operating system to collect necessary information for analysis.
|DS0024||Windows Registry||Windows Registry Key Access||
Monitor for the LSA secrets are stored in the registry at