This note documents detection patterns related to LSA Secrets Extraction within Active Directory environments.
Direct Indicators
| Log | Event ID | Meaning | Forensic Value | Notes |
|---|---|---|---|---|
| Security | 4688 | Process creation | Critical | Look for execution of tools capable of extracting LSA secrets such as mimikatz, secretsdump.py, or PowerShell scripts accessing the SECURITY hive. |
| Security | 4656 | Handle requested to object | High | Access to the SECURITY registry hive may indicate attempts to retrieve LSA secrets. |
| Security | 4663 | Object access | High | Registry access events related to SECURITY hive or policy secrets. |
| Security | 4673 | Sensitive privilege used | High | SeDebugPrivilege or SeBackupPrivilege may be required to extract secrets. |
| Sysmon | 1 | Process creation | Critical | Execution of credential dumping tools or scripts targeting LSA secrets. |
| Sysmon | 11 | File creation | High | Creation of exported SECURITY hive files or temporary dump artifacts. |
| Sysmon | 13 | Registry value set | Medium | Registry interactions involving SECURITY hive or LSA policy keys. |
Indirect Indicators
| Indicator | What To Look For | Forensic Value | Notes |
|---|---|---|---|
| Registry hive export | Commands exporting SECURITY hive using reg save | Critical | Common attacker technique to retrieve LSA secrets offline. |
| Suspicious credential tools | Execution of mimikatz or secretsdump utilities | High | Often used to extract service account credentials stored as LSA secrets. |
| Temporary hive files | Files like security.save appearing in temporary directories | High | Indicates registry hive export prior to offline credential extraction. |
| Privilege escalation before access | Elevation to administrative privileges prior to registry access | Medium | Often required to read LSA secrets. |
| Post-extraction credential use | Authentication attempts using service accounts stored in LSA secrets | Critical | Indicates attacker successfully extracted credentials. |
Common Tools
| Tool | Usage |
|---|---|
| Mimikatz | Extracts LSA secrets and stored service credentials. |
| Impacket secretsdump.py | Retrieves LSA secrets from local or remote hosts. |
| reg.exe | Exports SECURITY registry hive for offline analysis. |
| PowerShell scripts | Custom scripts used to read registry hives or extract secrets. |
| Cobalt Strike | Often used to execute credential dumping modules. |
Relevant Artifacts
- Windows Security logs (4688, 4656, 4663, 4673)
- Sysmon logs (1, 11, 13)
- SECURITY registry hive and exported copies
- Temporary files containing registry dumps
- Prefetch artifacts for dumping utilities
- MFT artifacts showing hive export creation
- PowerShell logs (4103, 4104)
- Endpoint telemetry identifying credential dumping behavior
MITRE ATT&CK References
- T1003 OS Credential Dumping
- T1003.004 LSA Secrets
- T1078 Valid Accounts
Decision Tree
- Is the suspicious event present?
- Look for process execution exporting or accessing SECURITY registry hive.
- What host generated the event?
- Identify the compromised system performing registry access.
- Is the account expected to perform this action?
- Access to SECURITY hive is rare outside system processes.
- Pivot:
- Source host → analyze process tree and command lines.
- Account → review privileges and group memberships.
- Network → check for lateral movement after credential extraction.
- Confirm exploitation
- Investigate whether extracted credentials were used for authentication events.
Example Detection Templates
KQL
SecurityEvent
| where EventID == 4688
| where CommandLine contains "reg save" and CommandLine contains "SECURITY"
| project TimeGenerated, Computer, NewProcessName, CommandLine, ParentProcessName
Sysmon
| where EventID == 11
| where TargetFilename contains "security"
| project TimeGenerated, Computer, TargetFilename, Image
EQL
process where process.command_line like "*reg save*SECURITY*"
Sigma
title: LSA Secrets Registry Hive Dump
id: lsa-secrets-dump
status: experimental
description: Detects attempts to export the SECURITY registry hive which may contain LSA secrets
logsource:
product: windows
category: process_creation
detection:
selection:
CommandLine|contains:
- "reg save"
- "SECURITY"
condition: selection
fields:
- CommandLine
- ParentProcessName
falsepositives:
- Legitimate administrative backup operations
level: high
tags:
- attack.credential_access
- attack.t1003.004
Mitigation & Hardening
| Control Area | Mitigation | Effectiveness | Notes |
|---|---|---|---|
| Privilege restriction | Limit SeBackupPrivilege and administrative access | High | Prevents unauthorized registry hive exports. |
| Endpoint monitoring | Deploy EDR capable of detecting credential dumping tools | High | Detects suspicious registry and process behavior. |
| Least privilege | Restrict local administrator rights | High | Reduces ability to access SECURITY hive. |
| Auditing | Enable registry access auditing | Medium | Provides visibility into SECURITY hive access attempts. |
| Credential hygiene | Avoid storing sensitive service credentials as LSA secrets | High | Reduces value of extracted secrets. |