Skip to content

H3-2021-0043

Credential Dumping - Local Security Authority (LSA) Secrets

Category SECURITY_CONTROLS
Base Score 7.2

Description

The Local Security Authority (LSA) process is responsible for user authentication on Windows hosts. LSA secrets are persistent credentials stored in the Windows registry. Examples of such secrets are cached domain user credentials, passwords for scheduled tasks, Internet Explorer passwords, and service account passwords. Attackers with administrative privileges can extract these secrets from the registry or in memory using tools such as Impacket secretsdump.py, Mimikatz, and crackmapexec.

Impact

Attackers who obtain cleartext credentials or NTLM hashes can directly login with those credentials. Cached domain user credentials are stored hashed in the DCC1 or DCC2 format and can't be directly used. However, if a cached domain user credential is cracked, an attacker can use it to move laterally across the Active Directory environment. Attackers can also exploit password re-use with any LSA secrets to move laterally

References