OS Credential Dumping: LSA Secrets

Description

Adversaries with SYSTEM access to a host may attempt to access Local Security Authority (LSA) secrets, which can contain a variety of different credential materials, such as credentials for service accounts.LSA secrets are stored in the registry at HKEY_LOCAL_MACHINE\SECURITY\Policy\Secrets. LSA secrets can also be dumped from memory

Products, Sensors, and Dependencies

ProductDependenciesData sourceAccess requiredProtocolData CollectedNotes
Tenable Vulnerability ManagementAdvanced Network ScanWindows machinesAuthenticated ScanSMBWindows ServicesPlugin ID: 44401
Tenable Vulnerability ManagementAdvanced Network ScanWindows machinesAuthenticated ScanWMILocal Groups and Group membershipPlugin ID: 71246
Tenable Vulnerability ManagementAdvanced Network ScanWindows machinesAuthenticated ScanWMILocal UsersPlugin ID: 72684
Tenable Vulnerability ManagementAD Starter or Identity ScanActive DirectoryStandard AD UserLDAPList of Domain Users

References

Enumerate Local Group Memberships

Microsoft Windows SMB Service Config Enumeration

Enumerate Users via WMI

Attack Path Technique Details

Framework: MITRE ATT&CK

Family: Credential Access

Sub-Technique: LSA Secrets

Platform: Windows

Tenable Release Date: 2022 Q2