Esc
LSA Secrets - T1003.004

(ATT&CK® Technique)
Definition

Adversaries with SYSTEM access to a host may attempt to access Local Security Authority (LSA) secrets, which can contain a variety of different credential materials, such as credentials for service accounts. LSA secrets are stored in the registry at HKEY_LOCAL_MACHINE\SECURITY\Policy\Secrets. LSA secrets can also be dumped from memory.
D3FEND Inferred Relationships

Browse the D3FEND knowledge graph by clicking on the nodes below.
        graph LR;

     T1003004["LSA Secrets"] --> |may-access| Process["Process"]; class T1003004 OffensiveTechniqueNode;
        class Process ArtifactNode; click Process href "../../../dao/artifact/d3f:Process";
        click T1003004 href "../../../offensive-technique/attack/T1003.004/"; click Process href "../../../dao/artifact/d3f:Process"; T1003004["LSA Secrets"] --> |may-access| SystemPasswordDatabase["System Password Database"]; class T1003004 OffensiveTechniqueNode;
        class SystemPasswordDatabase ArtifactNode; click SystemPasswordDatabase href "../../../dao/artifact/d3f:SystemPasswordDatabase";
        click T1003004 href "../../../offensive-technique/attack/T1003.004/"; click SystemPasswordDatabase href "../../../dao/artifact/d3f:SystemPasswordDatabase";                          ProcessSuspension["Process Suspension"] -->
          | suspends | Process["Process"];

          ProcessSuspension["Process Suspension"] -.->
            | may-evict | T1003004["LSA Secrets"] ;
          class ProcessSuspension DefensiveTechniqueNode;
          class Process ArtifactNode;
          click ProcessSuspension href "../../../technique/d3f:ProcessSuspension"; HostShutdown["Host Shutdown"] -->
          | terminates | Process["Process"];

          HostShutdown["Host Shutdown"] -.->
            | may-evict | T1003004["LSA Secrets"] ;
          class HostShutdown DefensiveTechniqueNode;
          class Process ArtifactNode;
          click HostShutdown href "../../../technique/d3f:HostShutdown"; ProcessTermination["Process Termination"] -->
          | terminates | Process["Process"];

          ProcessTermination["Process Termination"] -.->
            | may-evict | T1003004["LSA Secrets"] ;
          class ProcessTermination DefensiveTechniqueNode;
          class Process ArtifactNode;
          click ProcessTermination href "../../../technique/d3f:ProcessTermination";                                        Hardware-basedProcessIsolation["Hardware-based Process Isolation"] -->
          | isolates | Process["Process"];

          Hardware-basedProcessIsolation["Hardware-based Process Isolation"] -.->
            | may-isolate | T1003004["LSA Secrets"] ;
          class Hardware-basedProcessIsolation DefensiveTechniqueNode;
          class Process ArtifactNode;
          click Hardware-basedProcessIsolation href "../../../technique/d3f:Hardware-basedProcessIsolation"; Kernel-basedProcessIsolation["Kernel-based Process Isolation"] -->
          | isolates | Process["Process"];

          Kernel-basedProcessIsolation["Kernel-based Process Isolation"] -.->
            | may-isolate | T1003004["LSA Secrets"] ;
          class Kernel-basedProcessIsolation DefensiveTechniqueNode;
          class Process ArtifactNode;
          click Kernel-basedProcessIsolation href "../../../technique/d3f:Kernel-basedProcessIsolation";                           Application-basedProcessIsolation["Application-based Process Isolation"] -->
          | isolates | Process["Process"];

          Application-basedProcessIsolation["Application-based Process Isolation"] -.->
            | may-isolate | T1003004["LSA Secrets"] ;
          class Application-basedProcessIsolation DefensiveTechniqueNode;
          class Process ArtifactNode;
          click Application-basedProcessIsolation href "../../../technique/d3f:Application-basedProcessIsolation";               RestoreDatabase["Restore Database"] -->
          | restores | SystemPasswordDatabase["System Password Database"];

          RestoreDatabase["Restore Database"] -.->
            | may-restore | T1003004["LSA Secrets"] ;
          class RestoreDatabase DefensiveTechniqueNode;
          class SystemPasswordDatabase ArtifactNode;
          click RestoreDatabase href "../../../technique/d3f:RestoreDatabase";                           ProcessSelf-ModificationDetection["Process Self-Modification Detection"] -->
          | analyzes | Process["Process"];

          ProcessSelf-ModificationDetection["Process Self-Modification Detection"] -.->
            | may-detect | T1003004["LSA Secrets"] ;
          class ProcessSelf-ModificationDetection DefensiveTechniqueNode;
          class Process ArtifactNode;
          click ProcessSelf-ModificationDetection href "../../../technique/d3f:ProcessSelf-ModificationDetection"; ProcessSpawnAnalysis["Process Spawn Analysis"] -->
          | analyzes | Process["Process"];

          ProcessSpawnAnalysis["Process Spawn Analysis"] -.->
            | may-detect | T1003004["LSA Secrets"] ;
          class ProcessSpawnAnalysis DefensiveTechniqueNode;
          class Process ArtifactNode;
          click ProcessSpawnAnalysis href "../../../technique/d3f:ProcessSpawnAnalysis";                           SystemCallFiltering["System Call Filtering"] -->
          | isolates | Process["Process"];

          SystemCallFiltering["System Call Filtering"] -.->
            | may-isolate | T1003004["LSA Secrets"] ;
          class SystemCallFiltering DefensiveTechniqueNode;
          class Process ArtifactNode;
          click SystemCallFiltering href "../../../technique/d3f:SystemCallFiltering";              HostReboot["Host Reboot"] -->
          | terminates | Process["Process"];

          HostReboot["Host Reboot"] -.->
            | may-evict | T1003004["LSA Secrets"] ;
          class HostReboot DefensiveTechniqueNode;
          class Process ArtifactNode;
          click HostReboot href "../../../technique/d3f:HostReboot";              ProcessLineageAnalysis["Process Lineage Analysis"] -->
          | analyzes | Process["Process"];

          ProcessLineageAnalysis["Process Lineage Analysis"] -.->
            | may-detect | T1003004["LSA Secrets"] ;
          class ProcessLineageAnalysis DefensiveTechniqueNode;
          class Process ArtifactNode;
          click ProcessLineageAnalysis href "../../../technique/d3f:ProcessLineageAnalysis";
json