feat(rules): Add Potential LSA secrets registry dumping rule

rabbitstack · rabbitstack · commit 926a41a1f2d1 · 2026-03-01T23:01:29.000+01:00
Identifies potential dumping of LSA secrets by suspicious processes that access sensitive SECURITY registry hives associated with cached credentials and LSA secret storage.
This behavior is commonly observed in credential dumping utilities attempting to extract plaintext secrets, service credentials, or cached domain credentials from the Local Security Authority.
diff --git a/rules/credential_access_potential_lsa_secrets_registry_dumping.yml b/rules/credential_access_potential_lsa_secrets_registry_dumping.yml
@@ -0,0 +1,54 @@
+name: Potential LSA secrets registry dumping
+id: e5e95cbe-c8ab-418c-abe3-539d70a0b0af
+version: 1.0.0
+description: |
+  Identifies potential dumping of LSA secrets by suspicious processes that access
+  sensitive SECURITY registry hives associated with cached credentials and LSA secret
+  storage.
+  This behavior is commonly observed in credential dumping utilities attempting to
+  extract plaintext secrets, service credentials, or cached domain credentials from
+  the Local Security Authority.
+labels:
+  tactic.id: TA0006
+  tactic.name: Credential Access
+  tactic.ref: https://attack.mitre.org/tactics/TA0006/
+  technique.id: T1003
+  technique.name: OS Credential Dumping
+  technique.ref: https://attack.mitre.org/techniques/T1003/
+  subtechnique.id: T1003.004
+  subtechnique.name: LSA secrets
+  subtechnique.ref: https://attack.mitre.org/techniques/T1003/004/
+references:
+  - https://github.com/almounah/silp
+
+condition: >
+  sequence
+  maxspan 10m
+  by ps.uuid
+    |spawn_process and
+     ps.token.integrity_level not in ('LOW', 'MEDIUM') and
+     ps.exe not imatches
+                (
+                  '?:\\Windows\\regedit.exe',
+                  '?:\\Program Files\\*',
+                  '?:\\Program Files (x86)\\*',
+                  '?:\\Windows\\System32\\lsass.exe'
+                )
+    |
+    |open_registry and
+     registry.path imatches
+                (
+                  'HKEY_LOCAL_MACHINE\\SECURITY\\CACHE\\*',
+                  'HKEY_LOCAL_MACHINE\\SECURITY\\Policy\\Secrets\\*'
+                ) and
+      registry.path not imatches
+                (
+                  'HKEY_LOCAL_MACHINE\\SECURITY\\Policy\\Secrets\\$MACHINE.ACC\\CupdTime\\*'
+                )
+    |
+action:
+  - name: kill
+
+severity: critical
+
+min-engine-version: 3.0.0
