Esc
LSA Secrets - T1003.004
(ATT&CK® Technique)
Definition
Adversaries with SYSTEM access to a host may attempt to access Local Security Authority (LSA) secrets, which can contain a variety of different credential materials, such as credentials for service accounts. LSA secrets are stored in the registry at HKEY_LOCAL_MACHINE\SECURITY\Policy\Secrets. LSA secrets can also be dumped from memory.
D3FEND Inferred Relationships
Browse the D3FEND knowledge graph by clicking on the nodes below.
graph LR;
T1003004["LSA Secrets"] --> |may-access| Process["Process"]; class T1003004 OffensiveTechniqueNode;
class Process ArtifactNode; click Process href "/dao/artifact/d3f:Process";
click T1003004 href "/offensive-technique/attack/T1003.004/"; click Process href "/dao/artifact/d3f:Process"; T1003004["LSA Secrets"] --> |may-access| SystemPasswordDatabase["System Password Database"]; class T1003004 OffensiveTechniqueNode;
class SystemPasswordDatabase ArtifactNode; click SystemPasswordDatabase href "/dao/artifact/d3f:SystemPasswordDatabase";
click T1003004 href "/offensive-technique/attack/T1003.004/"; click SystemPasswordDatabase href "/dao/artifact/d3f:SystemPasswordDatabase"; SystemCallFiltering["System Call Filtering"] -->
| isolates | Process["Process"];
SystemCallFiltering["System Call Filtering"] -.->
| may-isolate | T1003004["LSA Secrets"] ;
class SystemCallFiltering DefensiveTechniqueNode;
class Process ArtifactNode;
click SystemCallFiltering href "/technique/d3f:SystemCallFiltering"; ProcessSelf-ModificationDetection["Process Self-Modification Detection"] -->
| analyzes | Process["Process"];
ProcessSelf-ModificationDetection["Process Self-Modification Detection"] -.->
| may-detect | T1003004["LSA Secrets"] ;
class ProcessSelf-ModificationDetection DefensiveTechniqueNode;
class Process ArtifactNode;
click ProcessSelf-ModificationDetection href "/technique/d3f:ProcessSelf-ModificationDetection"; ProcessSpawnAnalysis["Process Spawn Analysis"] -->
| analyzes | Process["Process"];
ProcessSpawnAnalysis["Process Spawn Analysis"] -.->
| may-detect | T1003004["LSA Secrets"] ;
class ProcessSpawnAnalysis DefensiveTechniqueNode;
class Process ArtifactNode;
click ProcessSpawnAnalysis href "/technique/d3f:ProcessSpawnAnalysis"; Kernel-basedProcessIsolation["Kernel-based Process Isolation"] -->
| isolates | Process["Process"];
Kernel-basedProcessIsolation["Kernel-based Process Isolation"] -.->
| may-isolate | T1003004["LSA Secrets"] ;
class Kernel-basedProcessIsolation DefensiveTechniqueNode;
class Process ArtifactNode;
click Kernel-basedProcessIsolation href "/technique/d3f:Kernel-basedProcessIsolation"; Application-basedProcessIsolation["Application-based Process Isolation"] -->
| isolates | Process["Process"];
Application-basedProcessIsolation["Application-based Process Isolation"] -.->
| may-isolate | T1003004["LSA Secrets"] ;
class Application-basedProcessIsolation DefensiveTechniqueNode;
class Process ArtifactNode;
click Application-basedProcessIsolation href "/technique/d3f:Application-basedProcessIsolation"; Hardware-basedProcessIsolation["Hardware-based Process Isolation"] -->
| isolates | Process["Process"];
Hardware-basedProcessIsolation["Hardware-based Process Isolation"] -.->
| may-isolate | T1003004["LSA Secrets"] ;
class Hardware-basedProcessIsolation DefensiveTechniqueNode;
class Process ArtifactNode;
click Hardware-basedProcessIsolation href "/technique/d3f:Hardware-basedProcessIsolation"; HostShutdown["Host Shutdown"] -->
| terminates | Process["Process"];
HostShutdown["Host Shutdown"] -.->
| may-evict | T1003004["LSA Secrets"] ;
class HostShutdown DefensiveTechniqueNode;
class Process ArtifactNode;
click HostShutdown href "/technique/d3f:HostShutdown"; ProcessTermination["Process Termination"] -->
| terminates | Process["Process"];
ProcessTermination["Process Termination"] -.->
| may-evict | T1003004["LSA Secrets"] ;
class ProcessTermination DefensiveTechniqueNode;
class Process ArtifactNode;
click ProcessTermination href "/technique/d3f:ProcessTermination"; ProcessSuspension["Process Suspension"] -->
| suspends | Process["Process"];
ProcessSuspension["Process Suspension"] -.->
| may-evict | T1003004["LSA Secrets"] ;
class ProcessSuspension DefensiveTechniqueNode;
class Process ArtifactNode;
click ProcessSuspension href "/technique/d3f:ProcessSuspension"; RestoreDatabase["Restore Database"] -->
| restores | SystemPasswordDatabase["System Password Database"];
RestoreDatabase["Restore Database"] -.->
| may-restore | T1003004["LSA Secrets"] ;
class RestoreDatabase DefensiveTechniqueNode;
class SystemPasswordDatabase ArtifactNode;
click RestoreDatabase href "/technique/d3f:RestoreDatabase"; HostReboot["Host Reboot"] -->
| terminates | Process["Process"];
HostReboot["Host Reboot"] -.->
| may-evict | T1003004["LSA Secrets"] ;
class HostReboot DefensiveTechniqueNode;
class Process ArtifactNode;
click HostReboot href "/technique/d3f:HostReboot"; ProcessLineageAnalysis["Process Lineage Analysis"] -->
| analyzes | Process["Process"];
ProcessLineageAnalysis["Process Lineage Analysis"] -.->
| may-detect | T1003004["LSA Secrets"] ;
class ProcessLineageAnalysis DefensiveTechniqueNode;
class Process ArtifactNode;
click ProcessLineageAnalysis href "/technique/d3f:ProcessLineageAnalysis";