Adversaries with SYSTEM access to a host may attempt to access Local Security Authority (LSA) secrets, which can contain a variety of different credential materials, such as credentials for service accounts.[1][2][3] LSA secrets are stored in the registry at HKEY_LOCAL_MACHINE\SECURITY\Policy\Secrets
. LSA secrets can also be dumped from memory.[4]
Reg can be used to extract from the Registry. Mimikatz can be used to extract secrets from memory.[4]
ID | Name | Description |
---|---|---|
S0677 | AADInternals |
AADInternals can dump secrets from the Local Security Authority.[5] |
G0016 | APT29 |
APT29 has used the |
G0064 | APT33 |
APT33 has used a variety of publicly available tools like LaZagne to gather credentials.[7][8] |
S0050 | CosmicDuke |
CosmicDuke collects LSA secrets.[9] |
S0488 | CrackMapExec |
CrackMapExec can dump hashed passwords from LSA secrets for the targeted system.[10] |
G0035 | Dragonfly |
Dragonfly has dropped and executed SecretsDump to dump password hashes.[11][12] |
G1003 | Ember Bear |
Ember Bear has used frameworks such as Impacket to dump LSA secrets for credential capture.[13] |
S0008 | gsecdump | |
S1022 | IceApple |
IceApple's Credential Dumper module can dump LSA secrets from registry keys, including: |
S0357 | Impacket |
SecretsDump and Mimikatz modules within Impacket can perform credential dumping to obtain account and password information.[16] |
G0004 | Ke3chang |
Ke3chang has dumped credentials, including by using gsecdump.[17][18] |
S0349 | LaZagne |
LaZagne can perform credential dumping from LSA secrets to obtain account and password information.[19] |
G0077 | Leafminer |
Leafminer used several tools for retrieving login and password information, including LaZagne.[20] |
G0045 | menuPass |
menuPass has used a modified version of pentesting tools wmiexec.vbs and secretsdump.py to dump credentials.[21][22] |
S0002 | Mimikatz |
Mimikatz performs credential dumping to obtain account and password information useful in gaining access to additional systems and enterprise network resources. It contains functionality to acquire information about credentials in many ways, including from the LSA.[23][24][25][26] |
G0069 | MuddyWater |
MuddyWater has performed credential dumping with LaZagne.[27][28] |
G0049 | OilRig |
OilRig has used credential dumping tools such as LaZagne to steal credentials to accounts logged into the compromised system and to Outlook Web Access.[29][30][31][32] |
S0192 | Pupy | |
G0027 | Threat Group-3390 |
Threat Group-3390 actors have used gsecdump to dump credentials. They have also dumped credentials from domain controllers.[34][35] |
ID | Mitigation | Description |
---|---|---|
M1027 | Password Policies |
Ensure that local administrator accounts have complex, unique passwords across all systems on the network. |
M1026 | Privileged Account Management |
Follow best practices for design and administration of an enterprise network to limit privileged account use across administrative tiers.[3] |
M1017 | User Training |
Limit credential overlap across accounts and systems by training users and administrators not to use the same password for multiple accounts. |
ID | Data Source | Data Component | Detects |
---|---|---|---|
DS0017 | Command | Command Execution |
Monitor executed commands and arguments that may access to a host may attempt to access Local Security Authority (LSA) secrets. Remote access tools may contain built-in features or incorporate existing tools like Mimikatz. PowerShell scripts also exist that contain credential dumping functionality, such as PowerSploit's Invoke-Mimikatz module,[36] which may require additional logging features to be configured in the operating system to collect necessary information for analysis. Analytic 1 - Suspicious access to LSA secrets.
|
DS0024 | Windows Registry | Windows Registry Key Access |
Monitor for the LSA secrets are stored in the registry at Analytic 1 - Unauthorized registry access to LSA secrets.
|