# LSA 机密

LSA，即 **Local Security Authority**，**本地安全机构**，是 Microsoft Windows 操作系统中安全子系统的核心组件。本地安全机构 (LSA) 负责管理系统的交互式登录、给用户分发安全访问令牌、实施本地安全策略等。 而LSA 机密是 Windows 中本地安全机构 (LSA) 使用的存储。

LSA 的目的是管理系统的本地安全策略，根据定义，这意味着它将存储有关用户登录、用户身份验证及其 LSA 机密等的私人数据。只有 **SYSTEM** 权限才可以访问 LSA 机密。LSA 机密所存储系统敏感数据有**用户密码**、**IE 密码**、**服务帐号密码**、**SQL 密码**、系**统账户密码**、**计划任务中配置的帐号密码**等。

提取 LSA 机密同样有多种方法，都类似于提取 SAM 中的凭证。

### **在线导出**

目前大部分 C2 尚未集成导出 LSA 机密的命令或功能，但我们可以依旧使用 mimikatz 或者 Impacket 导出。导出 LSA 机密的命令为 **lsadump::secrets**

[![image.png](https://raven-medicine.com/uploads/images/gallery/2023-05/scaled-1680-/59HSDz7fSxZJRJKa-image.png)](https://raven-medicine.com/uploads/images/gallery/2023-05/59HSDz7fSxZJRJKa-image.png)

[![image.png](https://raven-medicine.com/uploads/images/gallery/2023-05/scaled-1680-/T8mFulvd9xQXaauC-image.png)](https://raven-medicine.com/uploads/images/gallery/2023-05/T8mFulvd9xQXaauC-image.png)

### **离线导出**

LSA 机密被保存在注册表的 **HKEY\_LOCAL\_MACHINE\\SECURITY\\Policy\\Secrets** 位置，而文件则位于 **C:\\Windows\\System32\\Config\\SECURITY**。

注册表 Hive **HKLM\\SECURITY** 中存储了明文密码、域缓存凭证、NTLM 哈希等形式的凭证。

```
reg save HKLM\SYSTEM C:\Windows\Tasks\SYSTEM
reg save HKLM\SECURITY C:\Windows\Tasks\SECURITY
```

<div class="css-1dbjc4n r-6koalj r-18u37iz" id="bkmrk-token%3A%3Aelevate"></div><div class="css-1dbjc4n r-6koalj r-18u37iz" data-slate-fragment="JTdCJTIyb2JqZWN0JTIyJTNBJTIyZG9jdW1lbnQlMjIlMkMlMjJkYXRhJTIyJTNBJTdCJTdEJTJDJTIybm9kZXMlMjIlM0ElNUIlN0IlMjJvYmplY3QlMjIlM0ElMjJibG9jayUyMiUyQyUyMnR5cGUlMjIlM0ElMjJjb2RlLWxpbmUlMjIlMkMlMjJpc1ZvaWQlMjIlM0FmYWxzZSUyQyUyMmRhdGElMjIlM0ElN0IlN0QlMkMlMjJub2RlcyUyMiUzQSU1QiU3QiUyMm9iamVjdCUyMiUzQSUyMnRleHQlMjIlMkMlMjJsZWF2ZXMlMjIlM0ElNUIlN0IlMjJvYmplY3QlMjIlM0ElMjJsZWFmJTIyJTJDJTIydGV4dCUyMiUzQSUyMnRva2VuJTNBJTNBZWxldmF0ZSUyMiUyQyUyMm1hcmtzJTIyJTNBJTVCJTVEJTJDJTIyc2VsZWN0aW9ucyUyMiUzQSU1QiU1RCU3RCU1RCUyQyUyMmtleSUyMiUzQSUyMjRiNDUyYzA3ZmUzMTRlNzZiZmMxNGRhMGNiMThkMDkyJTIyJTdEJTVEJTJDJTIya2V5JTIyJTNBJTIyYzJiNTVjMmU2YTc4NDFmNjkxOTdlYTNhZTc1NDZlODYlMjIlN0QlMkMlN0IlMjJvYmplY3QlMjIlM0ElMjJibG9jayUyMiUyQyUyMnR5cGUlMjIlM0ElMjJjb2RlLWxpbmUlMjIlMkMlMjJpc1ZvaWQlMjIlM0FmYWxzZSUyQyUyMmRhdGElMjIlM0ElN0IlN0QlMkMlMjJub2RlcyUyMiUzQSU1QiU3QiUyMm9iamVjdCUyMiUzQSUyMnRleHQlMjIlMkMlMjJsZWF2ZXMlMjIlM0ElNUIlN0IlMjJvYmplY3QlMjIlM0ElMjJsZWFmJTIyJTJDJTIydGV4dCUyMiUzQSUyMmxzYWR1bXAlM0ElM0FzZWNyZXRzJTIyJTJDJTIybWFya3MlMjIlM0ElNUIlNUQlMkMlMjJzZWxlY3Rpb25zJTIyJTNBJTVCJTVEJTdEJTVEJTJDJTIya2V5JTIyJTNBJTIyYTMxMTRmNjcxMjU4NDk1NTk4ODU4M2E5MTQwMjdkODQlMjIlN0QlNUQlMkMlMjJrZXklMjIlM0ElMjJmNzFjZjZiMmM4NzU0NDQ0OTYyZmU5ZDMwMmQ1ZDkxMiUyMiU3RCU1RCUyQyUyMmtleSUyMiUzQSUyMmRkYTljMTVhM2I0ZjRhY2I5OTUzNTRjODI1MzBlMWQ2JTIyJTdE" id="bkmrk-lsadump%3A%3Asecrets"><div class="css-1dbjc4n r-6koalj r-18u37iz" data-slate-fragment="JTdCJTIyb2JqZWN0JTIyJTNBJTIyZG9jdW1lbnQlMjIlMkMlMjJkYXRhJTIyJTNBJTdCJTdEJTJDJTIybm9kZXMlMjIlM0ElNUIlN0IlMjJvYmplY3QlMjIlM0ElMjJibG9jayUyMiUyQyUyMnR5cGUlMjIlM0ElMjJjb2RlLWxpbmUlMjIlMkMlMjJpc1ZvaWQlMjIlM0FmYWxzZSUyQyUyMmRhdGElMjIlM0ElN0IlN0QlMkMlMjJub2RlcyUyMiUzQSU1QiU3QiUyMm9iamVjdCUyMiUzQSUyMnRleHQlMjIlMkMlMjJsZWF2ZXMlMjIlM0ElNUIlN0IlMjJvYmplY3QlMjIlM0ElMjJsZWFmJTIyJTJDJTIydGV4dCUyMiUzQSUyMnRva2VuJTNBJTNBZWxldmF0ZSUyMiUyQyUyMm1hcmtzJTIyJTNBJTVCJTVEJTJDJTIyc2VsZWN0aW9ucyUyMiUzQSU1QiU1RCU3RCU1RCUyQyUyMmtleSUyMiUzQSUyMjRiNDUyYzA3ZmUzMTRlNzZiZmMxNGRhMGNiMThkMDkyJTIyJTdEJTVEJTJDJTIya2V5JTIyJTNBJTIyYzJiNTVjMmU2YTc4NDFmNjkxOTdlYTNhZTc1NDZlODYlMjIlN0QlMkMlN0IlMjJvYmplY3QlMjIlM0ElMjJibG9jayUyMiUyQyUyMnR5cGUlMjIlM0ElMjJjb2RlLWxpbmUlMjIlMkMlMjJpc1ZvaWQlMjIlM0FmYWxzZSUyQyUyMmRhdGElMjIlM0ElN0IlN0QlMkMlMjJub2RlcyUyMiUzQSU1QiU3QiUyMm9iamVjdCUyMiUzQSUyMnRleHQlMjIlMkMlMjJsZWF2ZXMlMjIlM0ElNUIlN0IlMjJvYmplY3QlMjIlM0ElMjJsZWFmJTIyJTJDJTIydGV4dCUyMiUzQSUyMmxzYWR1bXAlM0ElM0FzZWNyZXRzJTIyJTJDJTIybWFya3MlMjIlM0ElNUIlNUQlMkMlMjJzZWxlY3Rpb25zJTIyJTNBJTVCJTVEJTdEJTVEJTJDJTIya2V5JTIyJTNBJTIyYTMxMTRmNjcxMjU4NDk1NTk4ODU4M2E5MTQwMjdkODQlMjIlN0QlNUQlMkMlMjJrZXklMjIlM0ElMjJmNzFjZjZiMmM4NzU0NDQ0OTYyZmU5ZDMwMmQ1ZDkxMiUyMiU3RCU1RCUyQyUyMmtleSUyMiUzQSUyMmRkYTljMTVhM2I0ZjRhY2I5OTUzNTRjODI1MzBlMWQ2JTIyJTdE"><div class="css-901oao r-1nf4jbm r-13awgt0 r-uibjmv r-1b43r93 r-majxgm r-hbpseb r-1v6e3re r-i023vh r-1xnzce8 r-yrgyi6" dir="auto">  
</div></div></div>[![image.png](https://raven-medicine.com/uploads/images/gallery/2023-05/scaled-1680-/RBIhrw2lk8eYr49H-image.png)](https://raven-medicine.com/uploads/images/gallery/2023-05/RBIhrw2lk8eYr49H-image.png)