title: T1003.004 LSA Secrets
description: For simplicity, we're detecting a Cmdline used for both psexec (the test)
  as well as direct reg.exe LSA extraction.
author: keyboardcrunch
date: 10/10/2020
modified: null
mitre:
   tactic: Credential Access
   technique: T1003
   subtechnique: 004
operating_system: windows
query: TgtProcCmdLine ContainsCIS "save HKLM\security\policy\secrets"
false_positives: null
tags: null