Detect LSA Secrets in Splunk
Adversaries with SYSTEM access dump LSA secrets from HKEY_LOCAL_MACHINE\SECURITY\Policy\Secrets, which contain service account credentials, auto-logon passwords, IIS application pool credentials, scheduled task credentials, and VPN/dial-up credentials. Tools include Mimikatz (lsadump::secrets), Impacket secretsdump.py, gsecdump, LaZagne, and reg.exe to export HKLM\SECURITY. Used by MuddyWater, APT33, APT29, OilRig, Ember Bear, Leafminer, and many others. Service account credentials from LSA secrets enable lateral movement to the services those accounts manage.
MITRE ATT&CK
- Tactic
- Credential Access
- Technique
- T1003 OS Credential Dumping
- Sub-technique
- T1003.004 LSA Secrets
- Canonical reference
- https://attack.mitre.org/techniques/T1003/004/
SPL Detection Query
index=wineventlog
(sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" (EventCode=12 OR EventCode=13)
TargetObject="*\\SECURITY\\Policy\\Secrets*"
NOT (Image="*\\lsass.exe" OR Image="*\\svchost.exe" OR Image="*\\services.exe"))
OR
(sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
(CommandLine="*lsadump::secrets*" OR CommandLine="*secretsdump*"
OR (Image="*\\reg.exe" AND CommandLine="*save*" AND CommandLine="*security*")))
| eval DetectionType=case(
(EventCode=12 OR EventCode=13), "RegistryAccess",
match(CommandLine, "lsadump::secrets|secretsdump"), "DumpTool",
match(Image, "reg\.exe") AND match(CommandLine, "save.*security"), "RegExport",
1==1, "Other"
)
| table _time, host, Image, CommandLine, TargetObject, User, DetectionType
| sort - _timeDetects LSA secrets theft using Sysmon Events ID 12/13 for registry access to the SECURITY\Policy\Secrets path and Event ID 1 for process creation with LSA secrets dump commands. Covers registry-based detection (which catches in-memory as well as reg export approaches) and tool-specific command patterns.
Data Sources
Required Sourcetypes
False Positives & Tuning
- LSASS itself accessing Policy\Secrets during service startup and authentication
- System Center Configuration Manager agent checking service account credentials
- Enterprise password management solutions reading service account credentials from LSA
- CyberArk or similar PAM solutions that manage and read service account passwords stored in LSA
Other platforms for T1003.004
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Export SECURITY Registry Hive
Expected signal: Sysmon Event ID 1: Process Create for reg.exe with CommandLine 'save HKLM\SECURITY'. Sysmon Event ID 11: FileCreate for atomic_security.hiv. Sysmon Event ID 12/13: Registry access to HKLM\SECURITY by reg.exe.
- Test 2Mimikatz LSA Secrets Dump Command
Expected signal: Sysmon Event ID 1: Process Create for mimikatz.exe with 'lsadump::secrets' in CommandLine. Sysmon Event ID 12/13: Registry access to SECURITY\Policy\Secrets if Mimikatz reads from registry. Security Event ID 4688 for mimikatz.exe process creation.
- Test 3LaZagne Credential Dump (LSA Secrets Module)
Expected signal: Sysmon Event ID 1: Process Create for lazagne.exe with '-lsa' parameter. Sysmon Event ID 10: ProcessAccess targeting lsass.exe if LaZagne attempts in-memory extraction. Security Event ID 4688 for lazagne.exe. Windows Defender may flag as HackTool.
References (5)
- https://attack.mitre.org/techniques/T1003/004/
- https://www.passcape.com/index.php?section=docsys&cmd=details&id=23
- https://ired.team/offensive-security/credential-access-and-credential-dumping/dumping-lsa-secrets
- https://www.first.org/resources/papers/conf2017/Windows-Credentials-Attacks-and-Mitigation-Techniques.pdf
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.004/T1003.004.md
Unlock Pro Content
Get the full detection package for T1003.004 including response playbook, investigation guide, and atomic red team tests.