detection.wiki

OS Credential Dumping: LSA Secrets T1003.004

Tactic: Credential Access

Adversaries with SYSTEM access to a host may attempt to access Local Security Authority (LSA) secrets, which can contain a variety of different credential materials, such as credentials for service accounts. LSA secrets are stored in the registry at HKEY_LOCAL_MACHINE\SECURITY\Policy\Secrets. LSA secrets can also be dumped from memory.

Events covered

19 catalog events are tagged with this technique by at least one rule.

ProviderEventTitle
SysmonEvent ID 1Process creation
SysmonEvent ID 10ProcessAccess
SysmonEvent ID 11FileCreate
SysmonEvent ID 13RegistryEvent (Value Set)
SysmonEvent ID 17PipeEvent (Pipe Created)
SysmonEvent ID 18PipeEvent (Pipe Connected)
Security-AuditingEvent ID 4656A handle to an object was requested.
Security-AuditingEvent ID 4662An operation was performed on an object.
Security-AuditingEvent ID 4672Special privileges assigned to new logon.
Security-AuditingEvent ID 4674An operation was attempted on a privileged object.
Security-AuditingEvent ID 4688A new process has been created.
Security-AuditingEvent ID 4690An attempt was made to duplicate a handle to an object.
Security-AuditingEvent ID 4692Backup of data protection master key was attempted.
Security-AuditingEvent ID 4697A service was installed in the system.
Security-AuditingEvent ID 5145A network share object was checked to see whether client can be granted desired access.
Defender-DeviceNetworkEventsNetworkSignatureInspectedNetwork signature inspected
Windows-DefenderEvent ID 1116Product Name has detected malware or other potentially unwanted software.
Windows-DefenderEvent ID 1117Product Name has taken action to protect this machine from malware or other potentially unwanted software.
Service-Control-ManagerEvent ID 7045A service was installed in the system.

Authoring guide

Patterns shared across the 23 rules above: which fields they filter on, what specific values they look for, and what they exclude. The catalog normalizes field names across vendors so Sigma's Image, Elastic's process.name, and Splunk's process_name collapse into one row. Each rule contributes at most once per row.

Fields filtered most (39 distinct)

The fields most rules look at when detecting this technique. The How column shows the operators authors use (eq, wildcard, regex_match, match) and how often each appears. Sample values are concrete examples to start from, not an exhaustive list.

FieldRulesHowSample values
CommandLine4contains 3, match 1 export , eˣport , save , (?i)KERNELBASE.dll, (?i)mimikatz
EventType4eq 3, ne 1LogonFailed, NetworkSignatureInspected, logged-in-special, open
Image4ends_with 2, eq 1, is_not_null 1\memprocfs.exe, \reg.exe, active directory
OriginalFileName3eq 3reg.exe, memprocfs.exe
process_name3ends_with 1, eq 1, match 1(?i).lsass.exe, \system32\wbem\wmiprvse.exe, reg.exe
EventID2eq 21, 10, 4656, 4688, 4690
ObjectName2contains 1, starts_with 1\REGISTRY\MACHINE\SAM\SAM\DOMAINS\Account, \REGISTRY\MACHINE\SAM\SAM\DOMAINS\Builtin, \REGISTRY\MACHINE\SECURITY\Cache, bckupkey
ObjectType2eq 2Key, SecretObject
RelativeTargetName2contains 1, eq 1.tmp, system32\, winreg
ScriptBlockText2eq 1, in 1cert_system_store_local_machine, crypto::certificates, dpapi::cred, invoke-ninjacopy, stealthclosefile
TargetFilename2contains 1, ends_with 1, eq 1?:\windows\system32\config\regback\sam, ?:\windows\system32\config\regback\security, ?:\windows\system32\config\regback\system, \cachedump.exe, \cachedump64.exe
event.category2eq 2process
AccessMask1eq 10x2
Description1eq 1MemProcFS
Details1eq 1, is_not_null 10x00000000

Top indicator values (179 distinct)

Specific (field, operator, value) combinations the rules check for, ranked by how many rules under this technique use each one. The Corpus reach column counts how many rules across the entire catalog (any technique) check the same combination. High numbers point to widely-used indicators that are likely noisy on their own; combine them with another condition for useful signal. Blank means the combination is specific to rules under this technique. Click a value to expand the rules under this technique that use it.

FieldKindValueRules (here)Corpus reach
OriginalFileNameeq
reg.exe
242
event.categoryeq
process
2128
AccessMaskeq
0x2
14
CommandLinecontains
export
13
CommandLinecontains
eˣport
1
CommandLinecontains
save
1
CommandLinecontains
ˢave
1
CommandLinecontains
-device
1
CommandLinecontains
::aadcookie
12
CommandLinecontains
::detours
12
CommandLinecontains
::memssp
12
CommandLinecontains
::mflt
12
CommandLinecontains
::mstsc
12
CommandLinecontains
::multirdp
12
CommandLinecontains
::ncroutemon
12
CommandLinecontains
::ngcsign
12
CommandLinecontains
::preshutdown
12
CommandLinecontains
::printnightmare
12
CommandLinecontains
::skeleton
12
CommandLinecontains
\sam
1
CommandLinecontains
\security
1
CommandLinecontains
\system
1
CommandLinecontains
\syˢtem
1
CommandLinecontains
\ˢam
1
CommandLinecontains
\ˢecurity
1
CommandLinecontains
\ˢystem
1
CommandLinecontains
\ˢyˢtem
1
CommandLinecontains
crypto::
12
CommandLinecontains
dpapi::
13
CommandLinecontains
dumpcreds
12

Exclusions (18 distinct)

Field/operator/value combinations excluded by rules under this technique (top-level not() clauses), sorted by how many rules exclude each. These are the false-positive paths the community has learned to filter out. A new rule that ignores the high-count entries here will likely fire on the same noisy paths. Click a value to expand the rules under this technique that exclude it.

FieldKindValueRules excluding
Imagewildcard
?:\program files (x86)\padvish av\apccsvc.exe
1
Imagewildcard
?:\program files\bitdefender\endpoint security\epsecurityservice.exe
1
Imagewildcard
?:\program files\common files\mcafee\avsolution\mcshield.exe
1
Imagewildcard
?:\program files\cylance\optics\cyoptics.exe
1
Imagewildcard
?:\program files\n-able technologies\avdefender\epsecurityservice.exe
1
Imagewildcard
?:\program files\sophos\endpoint defense\sophosscancoordinator.exe
1
Imagewildcard
?:\program files\sophos\endpoint defense\sspservice.exe
1
Imagewildcard
?:\program files\symantec\symantec endpoint protection\*\bin64\ccsvchst.exe
1
Imagewildcard
?:\program files\trend micro\amsp\coreserviceshell.exe
1
Imagewildcard
?:\program files\windows defender advanced threat protection\mssense.exe
1
Imagewildcard
?:\windows\system32\taskhost.exe
1
Imagewildcard
?:\windows\system32\taskhostw.exe
1
PrivilegeListeq
SeDebugPrivilege
1
ScriptBlockTexteq
powersploitindicators
1
ScriptBlockTexteq
sentinelbreakpoints
1

Rules under this technique

Every rule in the catalog tagged with this technique, grouped by vendor. Click a rule title for its full predicates, exclusions, and indicators.

Platform (all)
Domain (all)

Sigma 13 rules

Elastic 5 rules

Splunk 3 rules

Kusto 2 rules