DET0437: Detection of LSA Secrets Dumping via Registry and Memory Extraction
This detection strategy is about spotting attempts to obtain LSA secrets, a Windows credential store that may contain service account and other credential...
Analyst context for executives and security teams
This detection strategy is about spotting attempts to obtain LSA secrets, a Windows credential store that may contain service account and other credential material. For leaders, the practical issue is not the registry path itself; it is whether one compromised host with SYSTEM-level access can become a launch point for broader identity compromise and business disruption.
Executive priority
Prioritize this as an identity and incident-response readiness concern. Because the related ATT&CK technique is Credential Access on Windows, executives should ask whether SOC teams can prove visibility into suspicious access to LSA secrets through registry or memory extraction, and whether IR playbooks treat confirmed LSA secret access as a credential exposure event requiring containment, credential review, and service account risk decisions.
Technical view
The supplied object has no official detection text or platform field, but it detects ATT&CK T1003.004, LSA Secrets, whose relationship context identifies Windows, Credential Access, SYSTEM-level access, the registry location HKEY_LOCAL_MACHINE\SECURITY\Policy\Secrets, and memory dumping as relevant. SOC and detection teams should validate whether existing telemetry can identify unusual access to that protected registry area, suspicious memory access or dump behavior involving LSA-related credential material, and processes operating with SYSTEM privileges in contexts inconsistent with normal administration.
Likely telemetry
- Windows endpoint process execution and parent/child process context
- Registry access telemetry for HKEY_LOCAL_MACHINE\SECURITY\Policy\Secrets
- Privilege and logon context showing SYSTEM-level activity
- Endpoint detection telemetry for memory access or dump-like behavior related to credential material
- File creation telemetry for dump artifacts where collected
Detection direction
- Confirm whether monitoring covers the protected registry path named in the related technique, not just generic registry modification events.
- Correlate registry or memory-access signals with process identity, parent process, user context, host role, and whether the activity occurred under SYSTEM privileges.
- Tune carefully for legitimate administrative, backup, security, or troubleshooting activity that may touch sensitive system areas, while treating unusual hosts, unusual timing, or unexpected process lineage as higher-risk.
- Use the relationship to T1003.004 to connect alerts to credential exposure workflows rather than handling them as isolated endpoint events.
- Document visibility gaps where registry auditing, endpoint memory-access telemetry, or privileged process context is unavailable.
Mitigation priorities
- Limit and monitor administrative paths that can obtain SYSTEM-level access on Windows hosts.
- Harden service account management and reduce stored credential exposure where operationally feasible.
- Ensure endpoint logging and EDR policies collect registry, process, privilege, and memory-access evidence needed for investigation.
- Prepare IR procedures for suspected LSA secret exposure, including containment, credential review, and service account rotation decisions based on local evidence.
- Maintain audit evidence showing which Windows host groups have coverage for this behavior and where exceptions exist.
Analyst notes and limits
The ATT&CK detection-strategy object itself is sparse: no official description, no official detection text, no tactics, and no platform field are provided. The practical framing here is derived from the object name and its relationship to T1003.004 LSA Secrets, including the related technique’s Windows platform, Credential Access tactic, SYSTEM-access prerequisite, registry path, and memory-dumping context.
This take does not assert active exploitation, actor attribution, guaranteed detection, or organization-specific exposure. Local telemetry, endpoint configuration, administrative practices, and service account architecture are required to determine actual risk and coverage.
Detection of LSA Secrets Dumping via Registry and Memory Extraction
No official description is available in the imported ATT&CK source object.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1003.004 | LSA Secrets Sub-technique | This object detects LSA Secrets. |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 67646f06531e… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack DET0437Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.