T1003.004 IBM QRadar · QRadar

Detect LSA Secrets in IBM QRadar

Adversaries with SYSTEM access dump LSA secrets from HKEY_LOCAL_MACHINE\SECURITY\Policy\Secrets, which contain service account credentials, auto-logon passwords, IIS application pool credentials, scheduled task credentials, and VPN/dial-up credentials. Tools include Mimikatz (lsadump::secrets), Impacket secretsdump.py, gsecdump, LaZagne, and reg.exe to export HKLM\SECURITY. Used by MuddyWater, APT33, APT29, OilRig, Ember Bear, Leafminer, and many others. Service account credentials from LSA secrets enable lateral movement to the services those accounts manage.

MITRE ATT&CK

Tactic
Credential Access
Technique
T1003 OS Credential Dumping
Sub-technique
T1003.004 LSA Secrets
Canonical reference
https://attack.mitre.org/techniques/T1003/004/

QRadar Detection Query

IBM QRadar (QRadar)
sql 
SELECT
  DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS EventTime,
  LOGSOURCENAME(logsourceid) AS LogSource,
  sourceip AS SourceIP,
  username AS Username,
  QIDNAME(qid) AS EventName,
  "TargetObject",
  "Image",
  "CommandLine",
  CASE
    WHEN "TargetObject" ILIKE '%\\SECURITY\\Policy\\Secrets%' THEN 'RegistryAccess'
    WHEN "CommandLine" ILIKE '%lsadump::secrets%' OR "CommandLine" ILIKE '%secretsdump%' OR "CommandLine" ILIKE '%lsa_secrets%' THEN 'DumpTool'
    WHEN "Image" ILIKE '%\\reg.exe' AND "CommandLine" ILIKE '%save%' AND "CommandLine" ILIKE '%security%' THEN 'RegExport'
    ELSE 'Other'
  END AS DetectionType
FROM events
WHERE
  LOGSOURCETYPEID(logsourceid) IN (12, 13)
  AND (
    (
      ("TargetObject" ILIKE '%\\SECURITY\\Policy\\Secrets%')
      AND "Image" NOT ILIKE '%\\lsass.exe'
      AND "Image" NOT ILIKE '%\\svchost.exe'
      AND "Image" NOT ILIKE '%\\services.exe'
      AND (QIDNAME(qid) ILIKE '%Registry%' OR CATEGORYNAME(category) ILIKE '%Registry%')
    )
    OR (
      "CommandLine" ILIKE '%lsadump::secrets%'
      OR "CommandLine" ILIKE '%lsadump::cache%'
      OR "CommandLine" ILIKE '%secretsdump%'
      OR "CommandLine" ILIKE '%lsa_secrets%'
      OR "CommandLine" ILIKE '%LSAsecret%'
    )
    OR (
      "Image" ILIKE '%\\reg.exe'
      AND "CommandLine" ILIKE '%save%'
      AND "CommandLine" ILIKE '%security%'
      AND "CommandLine" NOT ILIKE '%system%'
    )
  )
ORDER BY starttime DESC
LAST 24 HOURS
critical severity high confidence

Detects LSA Secrets dumping (T1003.004) in QRadar by correlating Sysmon registry access events (EventIDs 12/13) targeting HKLM\SECURITY\Policy\Secrets from non-system processes, known credential dump tool command lines, and reg.exe SECURITY hive export operations. LOGSOURCETYPEID 12 and 13 correspond to Microsoft Windows Sysmon log source types.

Data Sources

Microsoft Windows Sysmon (via QRadar WinCollect or Syslog)IBM QRadar SIEMWindows Security Event Log

Required Tables

events

False Positives & Tuning

  • Enterprise PAM solutions (CyberArk, Delinea/Thycotic) performing scheduled credential verification rotations that touch LSA secrets paths as part of service account management
  • Windows LAPS (Local Administrator Password Solution) or legacy LAPS implementations reading auto-logon credentials stored in LSA secrets during policy enforcement
  • Vulnerability scanners (Tenable Nessus, Qualys) with credentialed scans running reg.exe commands as part of Windows configuration compliance checks
Download portable Sigma rule (.yml)

Other platforms for T1003.004

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Export SECURITY Registry Hive

    Expected signal: Sysmon Event ID 1: Process Create for reg.exe with CommandLine 'save HKLM\SECURITY'. Sysmon Event ID 11: FileCreate for atomic_security.hiv. Sysmon Event ID 12/13: Registry access to HKLM\SECURITY by reg.exe.

  2. Test 2Mimikatz LSA Secrets Dump Command

    Expected signal: Sysmon Event ID 1: Process Create for mimikatz.exe with 'lsadump::secrets' in CommandLine. Sysmon Event ID 12/13: Registry access to SECURITY\Policy\Secrets if Mimikatz reads from registry. Security Event ID 4688 for mimikatz.exe process creation.

  3. Test 3LaZagne Credential Dump (LSA Secrets Module)

    Expected signal: Sysmon Event ID 1: Process Create for lazagne.exe with '-lsa' parameter. Sysmon Event ID 10: ProcessAccess targeting lsass.exe if LaZagne attempts in-memory extraction. Security Event ID 4688 for lazagne.exe. Windows Defender may flag as HackTool.

Last updated: 2026-04-13 Research depth: deep
References (5)

Unlock Pro Content

Get the full detection package for T1003.004 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1003OS Credential Dumping

Related Sub-techniques

T1003.001LSASS MemoryT1003.002Security Account ManagerT1003.003NTDST1003.005Cached Domain CredentialsT1003.006DCSyncT1003.007Proc FilesystemT1003.008/etc/passwd and /etc/shadow

Related Techniques

T1003OS Credential DumpingT1003.002Security Account ManagerT1543.003Windows ServiceT1078.002Domain AccountsT1003.001LSASS Memory

Same Tactic: Credential Access

Popular Detections