DET0437 Detection of LSA Secrets Dumping via Registry and Memory Extraction

Item	Value
ID	DET0437
Version	1.0
Created	21 October 2025
Last Modified	21 October 2025

Technique Detected: T1003.004 (LSA Secrets)

Analytics

Windows

AN1212

Detects adversary activity aimed at accessing LSA Secrets, including registry key export of HKEY_LOCAL_MACHINE\SECURITY\Policy\Secrets or memory scraping via tools such as Mimikatz or PowerSploit’s Invoke-Mimikatz.

Log Sources

Data Component	Name	Channel
File Modification (DC0061)	WinEventLog:Security	EventCode=4663, 4670, 4656
Process Creation (DC0032)	WinEventLog:Sysmon	EventCode=1
Process Access (DC0035)	WinEventLog:Sysmon	EventCode=10
Module Load (DC0016)	WinEventLog:Sysmon	EventCode=7

Mutable Elements

Field	Description
TargetObject	Target registry paths like HKLM\SECURITY\Policy\Secrets or variants can be tuned depending on OS version or registry redirection settings.
ImageLoaded	Module names such as `lsasrv.dll`, `sechost.dll`, or suspicious DLLs loaded by user processes may require tuning for known-good service operations.
AccessMask	Tuning based on whether processes are using specific sensitive access rights (e.g., 0x2 or 0x4).
TimeWindow	Temporal window between registry access and command-line tool execution.