Find sigma rule
Attack: OS Credential Dumping: LSA Secrets
Adversaries with SYSTEM access to a host may attempt to access Local Security Authority (LSA) secrets, which can contain a variety of different credential materials, such as credentials for service accounts.(Citation: Passcape LSA Secrets)(Citation: Microsoft AD Admin Tier Model)(Citation: Tilbury Windows Credentials) LSA secrets are stored in the registry at HKEY_LOCAL_MACHINE\SECURITY\Policy\Secrets
. LSA secrets can also be dumped from memory.(Citation: ired Dumping LSA Secrets)
Reg can be used to extract from the Registry. Mimikatz can be used to extract secrets from memory.(Citation: ired Dumping LSA Secrets)
MITRE
Tactic
- credential-access
technique
- T1003.004
Test : Dumping LSA Secrets
OS
- windows
Description:
Dump secrets key from Windows registry When successful, the dumped file will be written to $env:Temp\secrets. Attackers may use the secrets key to assist with extracting passwords and enumerating other sensitive system information. https://pentestlab.blog/2018/04/04/dumping-clear-text-credentials/#:~:text=LSA%20Secrets%20is%20a%20registry,host%2C%20local%20security%20policy%20etc.
Executor
command_prompt
Sigma Rule
-
proc_creation_win_sysinternals_eula_accepted.yml (id: 7cccd811-7ae9-4ebe-9afd-cb5c406b824b)
-
proc_creation_win_sysinternals_psloglist.yml (id: aae1243f-d8af-40d8-ab20-33fc6d0c55bc)
-
proc_creation_win_sysinternals_psexec_execution.yml (id: 730fc21b-eaff-474b-ad23-90fd265d4988)
-
registry_add_pua_sysinternals_execution_via_eula.yml (id: 25ffa65d-76d8-4da5-a832-3f2b0136e133)
-
file_event_win_sysinternals_psexec_service.yml (id: 259e5a6a-b8d2-4c38-86e2-26c5e651361d)