T1003.004 LSA Secrets Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

let LSARegistryAccess = DeviceRegistryEvents
| where Timestamp > ago(24h)
| where RegistryKey has @"SECURITY\Policy\Secrets"
    or (RegistryKey has @"HKLM\SECURITY" and RegistryKey has "Policy")
| where InitiatingProcessFileName !in~ ("lsass.exe", "svchost.exe", "services.exe")
| project Timestamp, DeviceName, AccountName, ActionType, RegistryKey,
          InitiatingProcessFileName, InitiatingProcessCommandLine;
let LSADumpCommands = DeviceProcessEvents
| where Timestamp > ago(24h)
| where ProcessCommandLine has_any (
    "lsadump::secrets", "lsadump::cache",
    "secretsdump", "lsa_secrets", "LSAsecret"
  )
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine;
let RegExportSecurity = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName =~ "reg.exe"
| where ProcessCommandLine has "save" and ProcessCommandLine has_any ("hklm\\security", "security")
    and not (ProcessCommandLine has "hklm\\system")
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine;
union LSARegistryAccess, LSADumpCommands, RegExportSecurity
| sort by Timestamp desc

critical severity high confidence

Data Sources

Windows Registry: Registry Key Access Process: Process Creation Command: Command Execution

Required Tables

DeviceRegistryEvents DeviceProcessEvents

False Positives

Security scanning tools or EDR products performing credential audit checks on HKLM\SECURITY
IT administrators running authorized credential audit scripts to inventory service account usage
Incident response tools collecting system state information including LSA secrets
Backup software with SYSTEM privileges reading SECURITY hive as part of system state backup

Splunk

spl

index=wineventlog
  (sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" (EventCode=12 OR EventCode=13)
    TargetObject="*\\SECURITY\\Policy\\Secrets*"
    NOT (Image="*\\lsass.exe" OR Image="*\\svchost.exe" OR Image="*\\services.exe"))
  OR
  (sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
    (CommandLine="*lsadump::secrets*" OR CommandLine="*secretsdump*"
     OR (Image="*\\reg.exe" AND CommandLine="*save*" AND CommandLine="*security*")))
| eval DetectionType=case(
    (EventCode=12 OR EventCode=13), "RegistryAccess",
    match(CommandLine, "lsadump::secrets|secretsdump"), "DumpTool",
    match(Image, "reg\.exe") AND match(CommandLine, "save.*security"), "RegExport",
    1==1, "Other"
  )
| table _time, host, Image, CommandLine, TargetObject, User, DetectionType
| sort - _time

critical severity high confidence

Data Sources

Windows Registry: Registry Key Access Process: Process Creation Sysmon Event ID 12 Sysmon Event ID 13

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

LSASS itself accessing Policy\Secrets during service startup and authentication
System Center Configuration Manager agent checking service account credentials
Enterprise password management solutions reading service account credentials from LSA
CyberArk or similar PAM solutions that manage and read service account passwords stored in LSA

Elastic Security (EQL)

eql

any where
  (
    event.category == "registry" and
    registry.path : ("*\\SECURITY\\Policy\\Secrets*") and
    not process.name : ("lsass.exe", "svchost.exe", "services.exe", "LSASS.EXE")
  ) or
  (
    event.category == "process" and event.type == "start" and
    process.command_line : ("*lsadump::secrets*", "*lsadump::cache*", "*secretsdump*", "*lsa_secrets*", "*LSAsecret*")
  ) or
  (
    event.category == "process" and event.type == "start" and
    process.name : "reg.exe" and
    process.command_line : "*save*" and
    process.command_line : "*security*" and
    not process.command_line : "*system*"
  )

critical severity high confidence

Data Sources

Elastic Endpoint Security Windows Sysmon (via Elastic Agent) Elastic Security SIEM

Required Tables

logs-endpoint.events.registry-* logs-endpoint.events.process-* logs-windows.sysmon_operational-*

False Positives

Backup software or configuration management tools (e.g., Ansible, SCCM) that legitimately enumerate LSA secrets for auditing purposes under controlled change windows
Security scanning tools such as CyberArk PTA, BeyondTrust, or Tenable.SC enumerating credential stores as part of privileged access management audits
Legitimate IT operations using reg.exe to export the SECURITY hive as part of GPO troubleshooting or disaster recovery procedures — typically performed by domain admins during maintenance windows

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS EventTime,
  LOGSOURCENAME(logsourceid) AS LogSource,
  sourceip AS SourceIP,
  username AS Username,
  QIDNAME(qid) AS EventName,
  "TargetObject",
  "Image",
  "CommandLine",
  CASE
    WHEN "TargetObject" ILIKE '%\\SECURITY\\Policy\\Secrets%' THEN 'RegistryAccess'
    WHEN "CommandLine" ILIKE '%lsadump::secrets%' OR "CommandLine" ILIKE '%secretsdump%' OR "CommandLine" ILIKE '%lsa_secrets%' THEN 'DumpTool'
    WHEN "Image" ILIKE '%\\reg.exe' AND "CommandLine" ILIKE '%save%' AND "CommandLine" ILIKE '%security%' THEN 'RegExport'
    ELSE 'Other'
  END AS DetectionType
FROM events
WHERE
  LOGSOURCETYPEID(logsourceid) IN (12, 13)
  AND (
    (
      ("TargetObject" ILIKE '%\\SECURITY\\Policy\\Secrets%')
      AND "Image" NOT ILIKE '%\\lsass.exe'
      AND "Image" NOT ILIKE '%\\svchost.exe'
      AND "Image" NOT ILIKE '%\\services.exe'
      AND (QIDNAME(qid) ILIKE '%Registry%' OR CATEGORYNAME(category) ILIKE '%Registry%')
    )
    OR (
      "CommandLine" ILIKE '%lsadump::secrets%'
      OR "CommandLine" ILIKE '%lsadump::cache%'
      OR "CommandLine" ILIKE '%secretsdump%'
      OR "CommandLine" ILIKE '%lsa_secrets%'
      OR "CommandLine" ILIKE '%LSAsecret%'
    )
    OR (
      "Image" ILIKE '%\\reg.exe'
      AND "CommandLine" ILIKE '%save%'
      AND "CommandLine" ILIKE '%security%'
      AND "CommandLine" NOT ILIKE '%system%'
    )
  )
ORDER BY starttime DESC
LAST 24 HOURS

critical severity high confidence

Data Sources

Microsoft Windows Sysmon (via QRadar WinCollect or Syslog) IBM QRadar SIEM Windows Security Event Log

Required Tables

events

False Positives

Enterprise PAM solutions (CyberArk, Delinea/Thycotic) performing scheduled credential verification rotations that touch LSA secrets paths as part of service account management
Windows LAPS (Local Administrator Password Solution) or legacy LAPS implementations reading auto-logon credentials stored in LSA secrets during policy enforcement
Vulnerability scanners (Tenable Nessus, Qualys) with credentialed scans running reg.exe commands as part of Windows configuration compliance checks

Sumo Logic CSE

sql

(_sourceCategory="*windows*sysmon*" OR _sourceCategory="*sysmon*" OR _sourceCategory="*WinEventLog*Sysmon*")
| parse "<EventID>*</EventID>" as EventCode nodrop
| parse "<TargetObject>*</TargetObject>" as TargetObject nodrop
| parse "<Image>*</Image>" as Image nodrop
| parse "<CommandLine>*</CommandLine>" as CommandLine nodrop
| parse "<Computer>*</Computer>" as Computer nodrop
| parse "<User>*</User>" as SysmonUser nodrop
| where
  (
    EventCode in ("12","13")
    and TargetObject matches "*\\SECURITY\\Policy\\Secrets*"
    and !(Image matches "*\\lsass.exe" or Image matches "*\\svchost.exe" or Image matches "*\\services.exe")
  )
  or
  (
    EventCode = "1"
    and (
      CommandLine matches "*lsadump::secrets*"
      or CommandLine matches "*lsadump::cache*"
      or CommandLine matches "*secretsdump*"
      or CommandLine matches "*lsa_secrets*"
      or CommandLine matches "*LSAsecret*"
    )
  )
  or
  (
    EventCode = "1"
    and Image matches "*\\reg.exe"
    and CommandLine matches "*save*"
    and CommandLine matches "*security*"
    and !(CommandLine matches "*hklm\\system*")
  )
| if (EventCode in ("12","13"), "RegistryAccess",
    if (CommandLine matches "*lsadump*" or CommandLine matches "*secretsdump*", "DumpTool",
      if (Image matches "*\\reg.exe" and CommandLine matches "*save*", "RegExport", "Other")
    )
  ) as DetectionType
| count as EventCount by _messageTime, Computer, SysmonUser, Image, CommandLine, TargetObject, DetectionType
| fields -EventCount
| sort by _messageTime desc

critical severity high confidence

Data Sources

Windows Sysmon via Sumo Logic Installed Collector Sumo Logic Cloud SIEM Windows Event Log via Sumo Logic Universal Forwarder

Required Tables

_sourceCategory with Sysmon Operational logs

False Positives

Endpoint Detection and Response (EDR) agents such as CrowdStrike Falcon or Carbon Black performing their own registry monitoring that transiently accesses LSA secrets paths during sensor initialization or health checks
Windows Active Directory migration tools or domain join/unjoin operations that legitimately read service account credentials stored in LSA secrets during domain configuration
Automated deployment pipelines using reg.exe to export and migrate registry hives between environments as part of golden image creation or system provisioning workflows

Google Chronicle / SecOps

yaral

rule lsa_secrets_dumping_t1003_004 {
  meta:
    author = "Detection Engineering"
    description = "Detects LSA Secrets dumping via unauthorized registry access, credential dump tools, or reg.exe SECURITY hive export"
    severity = "HIGH"
    priority = "HIGH"
    mitre_attack_tactic = "Credential Access"
    mitre_attack_technique = "T1003.004"
    reference = "https://attack.mitre.org/techniques/T1003/004/"
    version = "1.0"

  events:
    (
      (
        $e.metadata.event_type = "REGISTRY_OPEN" or
        $e.metadata.event_type = "REGISTRY_READ"
      ) and
      re.regex($e.target.registry.registry_key, `(?i).*\\SECURITY\\Policy\\Secrets.*`) and
      not re.regex($e.principal.process.file.full_path, `(?i).*(\\lsass\.exe|\\svchost\.exe|\\services\.exe)$`)
    )
    or
    (
      $e.metadata.event_type = "PROCESS_LAUNCH" and
      re.regex($e.target.process.command_line, `(?i)(lsadump::secrets|lsadump::cache|secretsdump|lsa_secrets|LSAsecret)`)
    )
    or
    (
      $e.metadata.event_type = "PROCESS_LAUNCH" and
      re.regex($e.target.process.file.full_path, `(?i).*\\reg\.exe$`) and
      re.regex($e.target.process.command_line, `(?i).*save.*`) and
      re.regex($e.target.process.command_line, `(?i).*security.*`) and
      not re.regex($e.target.process.command_line, `(?i).*hklm\\\\system.*`)
    )

  condition:
    $e
}

critical severity high confidence

Data Sources

Google Chronicle SIEM Windows Sysmon via Chronicle Forwarder Microsoft Defender for Endpoint via Chronicle ingestion Windows Event Log via Chronicle Forwarder

Required Tables

UDM events with event_type REGISTRY_OPEN, REGISTRY_READ, PROCESS_LAUNCH

False Positives

Privileged access workstation (PAW) management software performing scheduled audits of LSA secrets to verify service account credential synchronization across managed systems
Security orchestration tools (Splunk SOAR, Palo Alto XSOAR) executing automated credential health checks that involve reading LSA secrets paths as part of incident response playbooks
Domain controller replication processes or Active Directory Recycle Bin operations that may access LSA-adjacent registry paths during synchronization of credential-related attributes

CrowdStrike LogScale (CQL)

cql

#event_simpleName = /^(RegGenericKeyEvent|ProcessRollup2)$/
| case {
    test(#event_simpleName = "RegGenericKeyEvent") |
      RegistryPath = /SECURITY\\Policy\\Secrets/i |
      not ImageFileName = /(lsass\.exe|svchost\.exe|services\.exe)$/i |
      DetectionType := "RegistryAccess" ;

    test(#event_simpleName = "ProcessRollup2" and CommandLine = /(lsadump::secrets|lsadump::cache|secretsdump|lsa_secrets|LSAsecret)/i) |
      DetectionType := "DumpTool" ;

    test(#event_simpleName = "ProcessRollup2" and ImageFileName = /reg\.exe$/i and CommandLine = /save/i and CommandLine = /security/i) |
      not CommandLine = /hklm\\\\system/i |
      DetectionType := "RegExport" ;

    * | drop()
  }
| groupBy([ComputerName, UserName, ImageFileName, CommandLine, RegistryPath, DetectionType], function=count(as=EventCount))
| sort(field=_time, order=desc, limit=500)

critical severity high confidence

Data Sources

CrowdStrike Falcon Endpoint Protection CrowdStrike Falcon Data Replicator (FDR) CrowdStrike LogScale (Humio)

Required Tables

CrowdStrike FDR events: RegGenericKeyEvent, ProcessRollup2

False Positives

CrowdStrike Falcon sensor itself performing internal telemetry collection that generates RegGenericKeyEvent entries referencing SECURITY registry paths during its own process access monitoring
Microsoft System Center Configuration Manager (SCCM) or Intune management agents executing reg.exe commands to export registry hives for compliance baseline comparisons or configuration inventory collection
Penetration testing engagements where authorized red team operators use secretsdump.py or Mimikatz under a sanctioned Rules of Engagement — these should be time-bounded and correlated with change tickets

LSA Secrets

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Credential Access

Popular Detections