Description
Adversaries with SYSTEM access to a host may attempt to access Local Security Authority (LSA) secrets, which can contain a variety of different credential materials, such as credentials for service accounts.(Citation: Passcape LSA Secrets)(Citation: Microsoft AD Admin Tier Model)(Citation: Tilbury Windows Credentials) LSA secrets are stored in the registry at HKEY_LOCAL_MACHINE\SECURITY\Policy\Secrets. LSA secrets can also be dumped from memory.(Citation: ired Dumping LSA Secrets)
Reg can be used to extract from the Registry. Mimikatz can be used to extract secrets from memory.(Citation: ired Dumping LSA Secrets)
Mimikatz Tutorial
Read our in-depth pentesting guide related to this technique
Platforms
Mitigations (3)
Password PoliciesM1027
Ensure that local administrator accounts have complex, unique passwords across all systems on the network.
Privileged Account ManagementM1026
Follow best practices for design and administration of an enterprise network to limit privileged account use across administrative tiers.(Citation: Tilbury Windows Credentials)
User TrainingM1017
Limit credential overlap across accounts and systems by training users and administrators not to use the same password for multiple accounts.
Threat Groups (10)
| ID | Group | Context |
|---|---|---|
| G0069 | MuddyWater | [MuddyWater](https://attack.mitre.org/groups/G0069) has performed credential dumping with [LaZagne](https://attack.mitre.org/software/S0349).(Citation... |
| G0027 | Threat Group-3390 | [Threat Group-3390](https://attack.mitre.org/groups/G0027) actors have used [gsecdump](https://attack.mitre.org/software/S0008) to dump credentials. T... |
| G0049 | OilRig | [OilRig](https://attack.mitre.org/groups/G0049) has used credential dumping tools such as [LaZagne](https://attack.mitre.org/software/S0349) to steal ... |
| G0077 | Leafminer | [Leafminer](https://attack.mitre.org/groups/G0077) used several tools for retrieving login and password information, including LaZagne.(Citation: Syma... |
| G0064 | APT33 | [APT33](https://attack.mitre.org/groups/G0064) has used a variety of publicly available tools like [LaZagne](https://attack.mitre.org/software/S0349) ... |
| G0016 | APT29 | [APT29](https://attack.mitre.org/groups/G0016) has used the `reg save` command to extract LSA secrets offline.(Citation: Mandiant APT29 Eye Spy Email ... |
| G0045 | menuPass | [menuPass](https://attack.mitre.org/groups/G0045) has used a modified version of pentesting tools wmiexec.vbs and secretsdump.py to dump credentials.(... |
| G0035 | Dragonfly | [Dragonfly](https://attack.mitre.org/groups/G0035) has dropped and executed SecretsDump to dump password hashes.(Citation: US-CERT TA18-074A)(Citation... |
| G1003 | Ember Bear | [Ember Bear](https://attack.mitre.org/groups/G1003) has used frameworks such as [Impacket](https://attack.mitre.org/software/S0357) to dump LSA secret... |
| G0004 | Ke3chang | [Ke3chang](https://attack.mitre.org/groups/G0004) has dumped credentials, including by using gsecdump.(Citation: Mandiant Operation Ke3chang November ... |
Associated Software (9)
| ID | Name | Type | Context |
|---|---|---|---|
| S1022 | IceApple | Malware | [IceApple](https://attack.mitre.org/software/S1022)'s Credential Dumper module can dump LSA secrets from registry keys, including: `HKLM\SECURITY\Poli... |
| S0050 | CosmicDuke | Malware | [CosmicDuke](https://attack.mitre.org/software/S0050) collects LSA secrets.(Citation: F-Secure The Dukes) |
| S0008 | gsecdump | Tool | [gsecdump](https://attack.mitre.org/software/S0008) can dump LSA secrets.(Citation: TrueSec Gsecdump) |
| S0349 | LaZagne | Tool | [LaZagne](https://attack.mitre.org/software/S0349) can perform credential dumping from LSA secrets to obtain account and password information.(Citatio... |
| S0488 | CrackMapExec | Tool | [CrackMapExec](https://attack.mitre.org/software/S0488) can dump hashed passwords from LSA secrets for the targeted system.(Citation: CME Github Septe... |
| S0677 | AADInternals | Tool | [AADInternals](https://attack.mitre.org/software/S0677) can dump secrets from the Local Security Authority.(Citation: AADInternals Documentation) |
| S0357 | Impacket | Tool | SecretsDump and [Mimikatz](https://attack.mitre.org/software/S0002) modules within [Impacket](https://attack.mitre.org/software/S0357) can perform cre... |
| S0192 | Pupy | Tool | [Pupy](https://attack.mitre.org/software/S0192) can use Lazagne for harvesting credentials.(Citation: GitHub Pupy) |
| S0002 | Mimikatz | Tool | [Mimikatz](https://attack.mitre.org/software/S0002) performs credential dumping to obtain account and password information useful in gaining access to... |
Related CWE Weaknesses
References
- Chad Tilbury. (2017, August 8). 1Windows Credentials: Attack, Mitigation, Defense. Retrieved February 21, 2020.
- Mantvydas Baranauskas. (2019, November 16). Dumping LSA Secrets. Retrieved February 21, 2020.
- Microsoft. (2019, February 14). Active Directory administrative tier model. Retrieved February 21, 2020.
- Passcape. (n.d.). Windows LSA secrets. Retrieved February 21, 2020.
- PowerSploit. (n.d.). Retrieved December 4, 2014.
Frequently Asked Questions
What is T1003.004 (LSA Secrets)?
T1003.004 is a MITRE ATT&CK technique named 'LSA Secrets'. It belongs to the Credential Access tactic(s). Adversaries with SYSTEM access to a host may attempt to access Local Security Authority (LSA) secrets, which can contain a variety of different credential materials, such as credentials for service ac...
How can T1003.004 be detected?
Detection of T1003.004 (LSA Secrets) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1003.004?
There are 3 documented mitigations for T1003.004. Key mitigations include: Password Policies, Privileged Account Management, User Training.
Which threat groups use T1003.004?
Known threat groups using T1003.004 include: MuddyWater, Threat Group-3390, OilRig, Leafminer, APT33, APT29, menuPass, Dragonfly.