title: LSA Secrets Extraction
description: Detect direct LSA extraction with reg.exe.
author: keyboardcrunch
date: 10/10/2020
modified: 05/12/2020
mitre:
   tactic: Credential Access
   technique: T1003
   subtechnique: 004
operating_system: windows
query: TgtProcCmdLine ContainsCIS "save HKLM\security\policy\secrets"
false_positives: 
tags: