AN1212: Analytic 1212
Detects adversary activity aimed at accessing LSA Secrets, including registry key export of HKEY_LOCAL_MACHINE\SECURITY\Policy\Secrets or memory scraping via tools such as Mimikatz or PowerSploit's Invoke-Mimikatz.
Analyst context for executives and security teams
Analytic 1212 is about detecting attempts to access Windows LSA Secrets, a sensitive store that can contain credentials or credential-like material. For leaders, the practical issue is not the analytic name; it is whether the organization can see and investigate activity around protected Windows registry areas or memory-scraping behavior before it becomes an identity compromise and lateral movement problem.
Executive priority
Treat this as an identity and incident-readiness validation item for Windows environments. Security leaders should ask whether SOC and IR teams can prove visibility into suspicious access to LSA Secrets, including registry export activity involving HKEY_LOCAL_MACHINE\SECURITY\Policy\Secrets and behavior associated with credential-dumping tools. This supports control prioritization around endpoint monitoring, privileged access protection, and audit evidence for credential-theft detection readiness.
Technical view
The supplied ATT&CK analytic applies to Windows and describes detection of adversary activity aimed at accessing LSA Secrets, including registry key export of HKEY_LOCAL_MACHINE\SECURITY\Policy\Secrets or memory scraping via tools such as Mimikatz or PowerSploit's Invoke-Mimikatz. Because no official detection logic is provided, SOC teams should validate whether existing endpoint, registry, process, command-line, and memory-access telemetry can distinguish legitimate administrative or security tooling from suspicious attempts to read, export, or scrape LSA-related secrets.
Likely telemetry
- Windows endpoint detection and response telemetry
- Process creation and command-line telemetry
- Registry access or registry export telemetry for HKEY_LOCAL_MACHINE\SECURITY\Policy\Secrets
- Security tool detections or alerts related to credential-dumping behavior
- Memory access or process inspection telemetry where available
Detection direction
- Confirm whether telemetry captures registry export or access attempts involving HKEY_LOCAL_MACHINE\SECURITY\Policy\Secrets.
- Validate visibility into execution patterns associated with tools named in the ATT&CK description, including Mimikatz and PowerSploit's Invoke-Mimikatz, without relying only on tool names.
- Tune for context: legitimate administrative, backup, forensic, or security testing activity may touch sensitive areas and should be separated from unusual user, host, process, or timing patterns.
- Prioritize correlation with privileged account use, unusual parent-child process relationships, and endpoint alerts related to credential access.
- Document blind spots where registry auditing, command-line logging, endpoint sensor coverage, or memory-access telemetry is absent on Windows systems.
Mitigation priorities
- Prioritize endpoint monitoring coverage on Windows systems that hold privileged sessions or sensitive administrative access.
- Restrict and monitor privileged access capable of reading sensitive registry locations or interacting with security-sensitive process memory.
- Review hardening and credential-protection controls for Windows endpoints and servers, especially systems used by administrators.
- Ensure incident response playbooks include containment and credential-rotation decision points when LSA Secrets access is suspected.
- Maintain audit-ready evidence showing which Windows assets are covered by endpoint telemetry and which are not.
Analyst notes and limits
This object is a detection analytic rather than a full ATT&CK technique. The supplied fields provide the target behavior, platform, and examples of relevant tooling, but no official detection query, tactic, relationships, or data source list. The best defensive value is to use it as a coverage test for Windows credential-access visibility and IR readiness.
No official detection logic, tactic mapping, relationship context, or explicit data components were supplied. Local validation is required to determine whether telemetry exists, whether detections are enabled, and what activity is normal in the environment.
Analytic 1212
Detects adversary activity aimed at accessing LSA Secrets, including registry key export of HKEY_LOCAL_MACHINE\SECURITY\Policy\Secrets or memory scraping via tools such as Mimikatz or PowerSploit's Invoke-Mimikatz.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 403d0b2d5fed… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN1212Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.