Find sigma rule

Attack: OS Credential Dumping: LSA Secrets

Adversaries with SYSTEM access to a host may attempt to access Local Security Authority (LSA) secrets, which can contain a variety of different credential materials, such as credentials for service accounts.(Citation: Passcape LSA Secrets)(Citation: Microsoft AD Admin Tier Model)(Citation: Tilbury Windows Credentials) LSA secrets are stored in the registry at HKEY_LOCAL_MACHINE\SECURITY\Policy\Secrets. LSA secrets can also be dumped from memory.(Citation: ired Dumping LSA Secrets)

Reg can be used to extract from the Registry. Mimikatz can be used to extract secrets from memory.(Citation: ired Dumping LSA Secrets)

MITRE

Tactic

credential-access

technique

T1003.004

Test : Dumping LSA Secrets

OS

windows

Description:

Dump secrets key from Windows registry When successful, the dumped file will be written to $env:Temp\secrets. Attackers may use the secrets key to assist with extracting passwords and enumerating other sensitive system information. https://pentestlab.blog/2018/04/04/dumping-clear-text-credentials/#:~:text=LSA%20Secrets%20is%20a%20registry,host%2C%20local%20security%20policy%20etc.

Executor

command_prompt

Sigma Rule

proc_creation_win_sysinternals_eula_accepted.yml (id: 7cccd811-7ae9-4ebe-9afd-cb5c406b824b)
proc_creation_win_sysinternals_psloglist.yml (id: aae1243f-d8af-40d8-ab20-33fc6d0c55bc)
proc_creation_win_sysinternals_psexec_execution.yml (id: 730fc21b-eaff-474b-ad23-90fd265d4988)
registry_add_pua_sysinternals_execution_via_eula.yml (id: 25ffa65d-76d8-4da5-a832-3f2b0136e133)
file_event_win_sysinternals_psexec_service.yml (id: 259e5a6a-b8d2-4c38-86e2-26c5e651361d)

back

sigma_redcanaryco

Knowing which rule should trigger according to the redcannary test