LSA Secrets

Information

• Name: LSA Secrets

• ID: T1003.004

• Tactics: TA0006

• Technique: T1003

Introduction

Local Security Authority (LSA) Secrets is a sub-technique under MITRE ATT&CK technique T1003 (OS Credential Dumping), specifically identified as T1003.004. It involves attackers extracting sensitive credentials from the Windows Local Security Authority subsystem. LSA is responsible for managing authentication and storing credentials, making it a valuable target. Attackers leverage this sub-technique to retrieve credentials such as user passwords, service account passwords, and system secrets, facilitating lateral movement, privilege escalation, and persistence within compromised environments.

Deep Dive Into Technique

Local Security Authority (LSA) secrets are stored in memory and registry locations managed by the Windows Local Security Authority Subsystem Service (LSASS.exe). LSASS maintains credentials in memory to facilitate single sign-on (SSO) and other authentication mechanisms. Attackers typically access LSA secrets by:

• Dumping the LSASS process memory using tools such as:

  • Mimikatz

  • ProcDump

  • Task Manager (built-in Windows utility)

• Accessing registry entries directly:

  • Stored under registry keys like HKEY_LOCAL_MACHINE\Security\Policy\Secrets

  • Registry hives are protected, requiring elevated privileges or exploitation of vulnerabilities

• Utilizing custom scripts or tools that interface with Windows APIs:

  • Windows API functions like LsaRetrievePrivateData can be abused to retrieve secrets programmatically

• Exploiting vulnerabilities or misconfigurations:

  • Privilege escalation vulnerabilities or weak system configurations enable unauthorized access to LSA secrets without raising suspicion

Typical data extracted from LSA secrets may include:

• User account passwords or NTLM hashes

• Service account credentials

• Cached domain credentials

• System-level secrets, such as VPN credentials, scheduled task passwords, or auto-logon credentials

When this Technique is Usually Used

Attackers commonly employ LSA secrets extraction during several attack stages and scenarios, including:

• Initial Access and Privilege Escalation:

  • Attackers who have gained initial foothold on a system may dump credentials to escalate privileges and move laterally.

• Lateral Movement:

  • Credentials extracted from one compromised host can enable attackers to authenticate and access other systems within the network.

• Persistence:

  • Attackers leverage extracted service account credentials or system secrets to maintain long-term access and persistence.

• Credential Harvesting:

  • Targeted credential theft for reuse in future attacks or sale on underground markets.

• Reconnaissance:

  • Gathering sensitive credentials to map out enterprise infrastructure and identify high-value targets.

How this Technique is Usually Detected

Detection of LSA secrets extraction involves monitoring system events, processes, and behaviors indicative of credential dumping activity. Common detection methods include:

• Process Monitoring and Auditing:

  • Monitor LSASS process memory access attempts by unusual or unauthorized processes.

  • Detect use of tools like Mimikatz, ProcDump, or suspicious PowerShell scripts.

• Windows Event Logs:

  • Event ID 4656 (Audit handle manipulation) indicating access to LSASS memory.

  • Event ID 4663 (Attempted access to sensitive objects) indicating suspicious access to registry keys storing LSA secrets.

  • Event ID 4688 (New process creation) logs for suspicious command-line arguments or tools execution.

• Endpoint Detection and Response (EDR) Tools:

  • EDR solutions provide behavioral analytics to detect credential dumping attempts.

  • Detection of suspicious API calls (LsaRetrievePrivateData) or abnormal memory access patterns.

• Indicators of Compromise (IoCs):

  • Presence of known credential dumping binaries (e.g., mimikatz.exe, procdump.exe).

  • Suspicious registry access or modifications to HKEY_LOCAL_MACHINE\Security\Policy\Secrets.

  • Unusual command-line executions targeting LSASS process (e.g., procdump.exe -ma lsass.exe).

• Memory Scanning:

  • Periodic memory scanning for injected code or suspicious artifacts indicative of credential dumping.

Why it is Important to Detect This Technique

Early detection of LSA secrets extraction is crucial due to its severe impact on organizational security posture. Importance of detection includes:

• Preventing Privilege Escalation:

  • Early detection prevents attackers from escalating privileges, limiting their ability to compromise critical systems.

• Limiting Lateral Movement:

  • Credential theft facilitates lateral movement; detection helps contain attackers within initial compromised hosts.

• Protecting Sensitive Information:

  • Detection helps safeguard sensitive credentials, preventing unauthorized access to confidential data and critical systems.

• Reducing Attack Dwell Time:

  • Early detection reduces attacker dwell time, minimizing damage and facilitating quicker incident response.

• Regulatory Compliance:

  • Organizations subject to regulatory compliance (e.g., GDPR, HIPAA, PCI DSS) must detect credential theft to avoid penalties and reputational damage.

• Preventing Long-term Persistence:

  • Early identification of credential theft prevents attackers from establishing persistent footholds within the network.

Examples

Real-world examples of LSA secrets extraction attacks include:

• Mimikatz Credential Dumping:

  • Attackers frequently use Mimikatz to dump LSASS memory, extracting plaintext passwords and NTLM hashes.

  • Example command: sekurlsa::logonpasswords

  • Impact: Enables attackers to escalate privileges, move laterally, and maintain persistence.

• Operation Cobalt Kitty (APT32):

  • Attackers leveraged credential dumping techniques, including LSASS memory dumps, to steal credentials and escalate privileges.

  • Tools used included modified versions of Mimikatz and custom scripts.

  • Impact: Persistent access to targeted organizations, exfiltration of sensitive data.

• Ryuk Ransomware Attacks:

  • Ryuk operators frequently used credential dumping via LSASS memory extraction to move laterally within victim networks.

  • Tools included ProcDump and custom PowerShell scripts to extract credentials.

  • Impact: Rapid lateral movement, widespread ransomware deployment, and severe operational disruptions.

• FIN6 Financial Sector Attacks:

  • FIN6 threat group utilized credential dumping techniques targeting LSASS to harvest privileged credentials.

  • Extracted credentials facilitated lateral movement and allowed attackers to compromise payment processing systems.

  • Impact: Theft of financial data, financial fraud, and significant financial losses for targeted organizations.

• TrickBot Malware Campaigns:

  • TrickBot malware modules included credential dumping capabilities, specifically targeting LSASS memory.

  • Extracted credentials enabled attackers to move laterally and deploy ransomware (e.g., Ryuk, Conti).

  • Impact: Massive ransomware infections, data theft, and severe financial and operational impacts for affected organizations.