SECURITY Hive (LSA Secrets & Cached Logons)

Location

Common Names

Description

Registry hive storing Local Security Authority policy data including cached domain logon information, service account secrets, DPAPI-related secret material, and policy settings tied to local security configuration.

Forensic Value

The SECURITY hive helps determine whether domain credentials, service passwords, or other LSA-protected secrets were present and potentially exposed on the host. Offline parsing in conjunction with the SYSTEM hive can recover cached logon metadata and secret blobs that reveal service-account use, scheduled task credentials, and prior administrative authentication patterns. This is especially valuable when scoping credential access or confirming whether an endpoint held reusable authentication material after a compromise.

Tools Required

Collection Commands

reg save HKLM\SECURITY C:\output\SECURITY.hiv

kape.exe --tsource C: --tdest C:\output --target RegistryHives

python3 secretsdump.py -security SECURITY.hiv -system SYSTEM.hiv LOCAL

Collection Constraints

• •Availability, retention, and field coverage depend on the Windows release, SKU, per-host audit policy, and user activity. Treat absence as inconclusive unless you verified the feature was enabled.
• •Interpreting secret material usually requires the paired SYSTEM hive and administrative or offline access. Secret presence and recoverability vary with Credential Guard, RunAsPPL, domain usage, and whether cached logons were enabled.

MITRE ATT&CK Techniques

References