LSA Secrets

What are LSA Secrets?

The Local Security Authority (LSA) secrets are integral components within Windows operating systems, managing a wide array of sensitive and confidential information crucial for both local and network security. These secrets encompass credentials for service accounts, domain accounts, and computer accounts. Stored within the Windows Registry, these secrets are encrypted to safeguard against unauthorized access. The encryption of LSA secrets ensures that even if an attacker gains access to the registry, they cannot easily retrieve the plaintext credentials without further decryption.

Why are LSA Secrets Important?

LSA secrets are pivotal for maintaining the security integrity of a Windows environment due to the various credential materials they store. These materials include:

• Service Account Credentials: These are used to access specific services or applications that run under the context of these accounts.

• Domain Account Credentials: These enable access to other systems within the domain, potentially allowing for lateral movement within a network.

• Computer Account Credentials: These are used to access other computers in the network, facilitating network-wide compromise.

• NTLM Hashes: These are cryptographic representations of passwords that can be used to authenticate as a user without needing the plaintext password.

• Kerberos Tickets: These are authentication tokens used within the Kerberos protocol for secure network authentication and can be used for pass-the-ticket attacks.

If an attacker gains access to these secrets, they can leverage them for a range of malicious activities, including lateral movement within a network, privilege escalation, and establishing persistent access to compromised systems.

Techniques for Accessing LSA Secrets

Attackers employ a variety of sophisticated techniques to extract LSA secrets, leveraging SYSTEM-level access to circumvent security measures.

Direct Registry Access: With SYSTEM-level privileges, attackers can directly access the registry keys where LSA secrets are stored. For instance, using tools like reg.exe, they can export the contents of the SECURITY hive with commands such as reg save hklm\security <file>. Despite this direct access, the secrets are encrypted, necessitating additional steps to decrypt them. Custom tools may be developed by attackers to parse and decrypt these secrets from the hive file.

Volume Shadow Copy Service (VSS): This method involves creating a shadow copy of the system drive to access files that are otherwise locked, including registry hives containing LSA secrets. Once a shadow copy is created, attackers can copy the SECURITY hive from the shadow copy and use decryption tools to extract the secrets. This technique is particularly effective because it allows attackers to access critical data without disrupting normal system operations.

Pass-the-Hash / Pass-the-Ticket: Using extracted NTLM hashes or Kerberos tickets, attackers can authenticate as a user without needing the plaintext password. In pass-the-hash attacks, attackers use NTLM hashes to gain access to systems, while in pass-the-ticket attacks, they use Kerberos tickets to move laterally within a network or escalate privileges.

Credential Dumping Tools

Numerous specialized tools are designed for dumping LSA (Local Security Authority) secrets from compromised systems. These tools facilitate the extraction of sensitive information such as credentials, NTLM (NT LAN Manager) hashes, and Kerberos tickets, often leveraging vulnerabilities and security gaps within the system to access these protected data.

Mimikatz

Mimikatz is one of the most renowned tools in the realm of credential dumping. Its capabilities extend to extracting LSA secrets, NTLM hashes, and Kerberos tickets directly from memory. Mimikatz operates by injecting itself into the LSASS (Local Security Authority Subsystem Service) process, thereby bypassing some of the challenges associated with direct registry access. This method allows it to extract credentials stored in memory, making it an invaluable tool for attackers seeking to gain unauthorized access to systems.

To extract LSA secrets using Mimikatz, one typically launches Mimikatz with administrative privileges and uses the privilege::debug command to ensure Mimikatz has the necessary privileges. The command sekurlsa::logonpasswords is then used to inject into the LSASS process and list the logon sessions, providing information such as usernames, domain names, and password hashes directly from memory.

secretsdump.py from Impacket

secretsdump.py is a Python script that is part of the Impacket collection of tools. It is designed to extract LSA secrets and other credential materials from remote systems using the SMB (Server Message Block) protocol. This tool is particularly useful for attackers who have managed to gain network access and wish to perform remote credential dumping without needing physical access to the target machine.

To extract LSA secrets using secretsdump.py, the typical command format is python secretsdump.py <domain>/<username>:<password>@<target-ip>. For example, python secretsdump.py domain/adminuser:password@192.168.1.10 connects to the target machine over SMB and retrieves LSA secrets, NTLM hashes, and other credential information.

gsecdump

gsecdump is another tool used for extracting LSA secrets from compromised systems. It works by dumping the contents of the LSASS process and extracting sensitive information from it. To use gsecdump to extract LSA secrets, the command gsecdump -a -s is typically used. This command instructs gsecdump to extract all available information, including LSA secrets, from the target system.

LSADump

LSADump is a tool that facilitates the extraction of LSA secrets and other sensitive information from compromised systems. It can be used to retrieve data such as cached credentials and password hashes. To use LSADump to extract LSA secrets, the command lsadump::secrets is typically used. This command extracts and displays the secrets stored in the LSA database, including cached domain credentials and other sensitive information.

Detection

Command Execution Indicators:

• Suspicious Command Execution: Monitor executed commands and arguments that may indicate attempts to access LSA secrets. This includes remote access tools incorporating Mimikatz and custom scripts or binaries designed for credential dumping.

• PowerShell Logging: Detailed PowerShell logging should capture suspicious command execution. Look for commands related to credential dumping or those attempting to access system security functions.

Registry Access Indicators:

• Access to Specific Registry Keys: Regularly monitor access to the registry path HKEY_LOCAL_MACHINE\SECURITY\Policy\Secrets. Unauthorized access to this registry key is rare and should be considered highly suspicious.

• Registry Export Commands: Detect the use of reg.exe or similar tools attempting to export the contents of the SECURITY hive. Commands such as reg save hklm\security <file> are indicative of efforts to extract LSA secrets.

Volume Shadow Copy Service (VSS) Indicators:

• Shadow Copy Creation: Detect commands that create shadow copies, such as vssadmin create shadow /for=C:, which could indicate attempts to access locked files, including registry hives containing LSA secrets.

• Copying Registry Hives: Monitor for file operations involving copying the SECURITY hive from shadow copies. This can include commands accessing paths like \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopyX\Windows\System32\config\SECURITY.

Pass-the-Hash / Pass-the-Ticket Indicators:

• NTLM Hash Usage: Monitor for authentication attempts using NTLM hashes rather than plaintext passwords, which can indicate pass-the-hash attacks.

• Kerberos Ticket Usage: Track unusual Kerberos ticket requests or usage patterns that might suggest pass-the-ticket attacks. This includes monitoring for tickets with extended lifetimes or those used on multiple devices.

Credential Dumping Tool Indicators:

• Mimikatz Usage: Detect the execution of Mimikatz, commonly identified by processes named mimikatz.exe or command-line arguments related to Mimikatz functions. Look for processes attempting to inject into the lsass.exe process.

• Other Tools: Monitor for the use of other credential dumping tools like secretsdump.py, gsecdump, and LSADump. These tools have distinctive command-line arguments and execution patterns.

• PowerShell Scripts: Closely monitor PowerShell scripts that import or invoke credential dumping modules such as PowerSploit's Invoke-Mimikatz. Detailed PowerShell logging and script block logging can help capture such activities.