Detections
Analytics
OS Credential Dumping: LSA Secrets
Description
Adversaries with SYSTEM access to a host may attempt to access Local Security Authority (LSA) secrets, which can contain a variety of different credential materials, such as credentials for service accounts.LSA secrets are stored in the registry at HKEY_LOCAL_MACHINE\SECURITY\Policy\Secrets. LSA secrets can also be dumped from memory
Products, Sensors, and Dependencies
| Product | Dependencies | Data source | Access required | Protocol | Data Collected | Notes |
|---|---|---|---|---|---|---|
| Tenable Vulnerability Management | Advanced Network Scan | Windows machines | Authenticated Scan | SMB | Windows Services | Plugin ID: 44401 |
| Tenable Vulnerability Management | Advanced Network Scan | Windows machines | Authenticated Scan | WMI | Local Groups and Group membership | Plugin ID: 71246 |
| Tenable Vulnerability Management | Advanced Network Scan | Windows machines | Authenticated Scan | WMI | Local Users | Plugin ID: 72684 |
| Tenable Vulnerability Management | AD Starter or Identity Scan | Active Directory | Standard AD User | LDAP | List of Domain Users |
References
Enumerate Local Group Memberships
Attack Path Technique Details
Framework: MITRE ATT&CK
Family: Credential Access
Technique: OS Credential Dumping
Sub-Technique: LSA Secrets
Platform: Windows
Products Required: Tenable Vulnerability Management
Tenable Release Date: 2022 Q2