H3-2021-0043

Credential Dumping - Local Security Authority (LSA) Secrets

Category	SECURITY_CONTROLS
Base Score	7.2

Description

The Local Security Authority (LSA) process is responsible for user authentication on Windows hosts. LSA secrets are persistent credentials stored in the Windows registry. Examples of such secrets are cached domain user credentials, passwords for scheduled tasks, Internet Explorer passwords, and service account passwords. Attackers with administrative privileges can extract these secrets from the registry or in memory using tools such as Impacket secretsdump.py, Mimikatz, and crackmapexec.

Impact

Attackers who obtain cleartext credentials or NTLM hashes can directly login with those credentials. Cached domain user credentials are stored hashed in the DCC1 or DCC2 format and can't be directly used. However, if a cached domain user credential is cracked, an attacker can use it to move laterally across the Active Directory environment. Attackers can also exploit password re-use with any LSA secrets to move laterally

References

• MITRE ATT&CK Technique: OS Credential Dumping: LSA Secrets
• MITRE ATT&CK Technique: OS Credential Dumping: Cached Domain Credentials