LIVE NEWSROOM · --:-- · May 24, 2026
A LIBRARY FOR SECURITY RESEARCHERS

MITRE ATT&CK  /  T1003.004

T1003.004

LSA Secrets

SUB-TECHNIQUE Credential Access

Description

Adversaries with SYSTEM access to a host may attempt to access Local Security Authority (LSA) secrets, which can contain a variety of different credential materials, such as credentials for service accounts.(Citation: Passcape LSA Secrets)(Citation: Microsoft AD Admin Tier Model)(Citation: Tilbury Windows Credentials) LSA secrets are stored in the registry at <code>HKEY_LOCAL_MACHINE\SECURITY\Policy\Secrets</code>. LSA secrets can also be dumped from memory.(Citation: ired Dumping LSA Secrets)[Reg](https://attack.mitre.org/software/S0075) can be used to extract from the Registry. [Mimikatz](https://attack.mitre.org/software/S0002) can be used to extract secrets from memory.(Citation: ired Dumping LSA Secrets)

Platforms

Windows

Mitigations

  • M1027 — Password Policies
  • M1026 — Privileged Account Management
  • M1017 — User Training
Look up any technique

Use our free MITRE ATT&CK lookup tool, or browse the full ATT&CK matrix.

Source: MITRE ATT&CK Enterprise matrix. View on attack.mitre.org →

Scroll to Top