title: LSA Secrets (T1003.004)
id: df00tech-t1003-004
status: experimental
description: "Adversaries with SYSTEM access dump LSA secrets from HKEY_LOCAL_MACHINE\\SECURITY\\Policy\\Secrets, which contain service account credentials, auto-logon passwords, IIS application pool credentials, scheduled task credentials, and VPN/dial-up credentials. Tools include Mimikatz (lsadump::secrets), Impacket secretsdump.py, gsecdump, LaZagne, and reg.exe to export HKLM\\SECURITY. Used by MuddyWater, APT33, APT29, OilRig, Ember Bear, Leafminer, and many others. Service account credentials from LSA secrets enable lateral movement to the services those accounts manage."
references:
  - https://attack.mitre.org/techniques/T1003/004/
  - https://df00tech.com/detections/T1003.004
author: df00tech
date: 2026/04/13
tags:
  - attack.t1003.004
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "Security scanning tools or EDR products performing credential audit checks on HKLM\\SECURITY"
  - IT administrators running authorized credential audit scripts to inventory service account usage
  - Incident response tools collecting system state information including LSA secrets
  - Backup software with SYSTEM privileges reading SECURITY hive as part of system state backup
level: critical