From 24b19b27913ff82b9be68b9128cb4d1bae9e9fb5 Mon Sep 17 00:00:00 2001
From: rabbitstack <rabbitstack7@gmail.com>
Date: Mon, 2 Feb 2026 18:25:26 +0100
Subject: [PATCH] feat(rules): Add Potential LSA secrets registry dumping rule

Identifies potential dumping of LSA secrets by suspicious processes that access sensitive SECURITY registry hives associated with cached credentials and LSA secret storage.
This behavior is commonly observed in credential dumping utilities attempting to extract plaintext secrets, service credentials, or cached domain credentials from the Local Security Authority.
---
 ...potential_lsa_secrets_registry_dumping.yml | 54 +++++++++++++++++++
 1 file changed, 54 insertions(+)
 create mode 100644 rules/credential_access_potential_lsa_secrets_registry_dumping.yml

diff --git a/rules/credential_access_potential_lsa_secrets_registry_dumping.yml b/rules/credential_access_potential_lsa_secrets_registry_dumping.yml
new file mode 100644
index 000000000..46b5abf78
--- /dev/null
+++ b/rules/credential_access_potential_lsa_secrets_registry_dumping.yml
@@ -0,0 +1,54 @@
+name: Potential LSA secrets registry dumping
+id: e5e95cbe-c8ab-418c-abe3-539d70a0b0af
+version: 1.0.0
+description: |
+  Identifies potential dumping of LSA secrets by suspicious processes that access
+  sensitive SECURITY registry hives associated with cached credentials and LSA secret
+  storage.
+  This behavior is commonly observed in credential dumping utilities attempting to
+  extract plaintext secrets, service credentials, or cached domain credentials from
+  the Local Security Authority.
+labels:
+  tactic.id: TA0006
+  tactic.name: Credential Access
+  tactic.ref: https://attack.mitre.org/tactics/TA0006/
+  technique.id: T1003
+  technique.name: OS Credential Dumping
+  technique.ref: https://attack.mitre.org/techniques/T1003/
+  subtechnique.id: T1003.004
+  subtechnique.name: LSA secrets
+  subtechnique.ref: https://attack.mitre.org/techniques/T1003/004/
+references:
+  - https://github.com/almounah/silp
+
+condition: >
+  sequence
+  maxspan 10m
+  by ps.uuid
+    |spawn_process and
+     ps.token.integrity_level not in ('LOW', 'MEDIUM') and
+     ps.exe not imatches
+                (
+                  '?:\\Windows\\regedit.exe',
+                  '?:\\Program Files\\*',
+                  '?:\\Program Files (x86)\\*',
+                  '?:\\Windows\\System32\\lsass.exe'
+                )
+    |
+    |open_registry and
+     registry.path imatches
+                (
+                  'HKEY_LOCAL_MACHINE\\SECURITY\\CACHE\\*',
+                  'HKEY_LOCAL_MACHINE\\SECURITY\\Policy\\Secrets\\*'
+                ) and
+      registry.path not imatches
+                (
+                  'HKEY_LOCAL_MACHINE\\SECURITY\\Policy\\Secrets\\$MACHINE.ACC\\CupdTime\\*'
+                )
+    |
+action:
+  - name: kill
+
+severity: critical
+
+min-engine-version: 3.0.0