Exam 312-49v10 topic 1 question 171 discussion

There is no plain text pw in that hive, so remains cached.

B > credentials for service accounts are stored in the local registry, as what's called "LSA Secrets" in the registry key HKEY_LOCAL_MACHINE/Security/Policy/Secrets. Because the service needs to read the actual password to login as the service account, that password is in the registry in clear-text.

B < https://attack.mitre.org/techniques/T1003/004/ Adversaries with SYSTEM access to a host may attempt to access Local Security Authority (LSA) secrets, which can contain a variety of different credential materials, such as credentials for service accounts.[1][2][3] LSA secrets are stored in the registry at HKEY_LOCAL_MACHINE\SECURITY\Policy\Secrets. LSA secrets can also be dumped from memory.[

C: Thinking that might have an intentional typo, so might the answer be LSA instead of IAS...

This answer is incorrect, but I'm not sure what the correct answer is. As vcloudpmp stated, LSA secrets are stored in this key, and they do include service account passwords, but they are NOT in plain text. Everything is encrypted. The answer choices to this question may not be accurate.

The Local Security Authority (LSA) in Windows is designed to manage a systems security policy, auditing, logging users on to the system, and storing private data such as service account passwords. The LSA secrets are stored under the HKLM:\Security\Policy\Secrets key. This key contains additional subkeys that store encrypted secrets. The HKLM:\Security\Policy\Secrets key is not accessible from regedit or other tools by default, but we can access it by running the Enable-TSDuplicateToken function described in yesterday’s blog, Use PowerShell to Duplicate Process Tokens via P/Invoke. The secrets are available in the 32-bit registry. Step one is to start an elevated 32-bit Windows PowerShell prompt.