:py:mod:`dissect.target.plugins.os.windows.lsa` =============================================== .. py:module:: dissect.target.plugins.os.windows.lsa Module Contents --------------- Classes ~~~~~~~ .. autoapisummary:: dissect.target.plugins.os.windows.lsa.LSAPlugin Attributes ~~~~~~~~~~ .. autoapisummary:: dissect.target.plugins.os.windows.lsa.HAS_CRYPTO dissect.target.plugins.os.windows.lsa.LSASecretRecord .. py:data:: HAS_CRYPTO :value: True .. py:data:: LSASecretRecord .. py:class:: LSAPlugin(target: dissect.target.target.Target) Bases: :py:obj:`dissect.target.plugin.Plugin` Windows Local Security Authority (LSA) plugin. .. rubric:: References - https://learn.microsoft.com/en-us/windows/win32/secauthn/lsa-authentication - https://moyix.blogspot.com/2008/02/decrypting-lsa-secrets.html (Windows XP) - https://github.com/fortra/impacket/blob/master/impacket/examples/secretsdump.py - ReVaulting decryption and opportunities SANS Summit Prague 2015 .. py:attribute:: __namespace__ :value: 'lsa' Defines the plugin namespace. .. py:attribute:: SECURITY_POLICY_KEY :value: 'HKEY_LOCAL_MACHINE\\SECURITY\\Policy' .. py:attribute:: SYSTEM_KEY :value: 'HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\LSA' .. py:method:: check_compatible() -> None Perform a compatibility check with the target. This function should return ``None`` if the plugin is compatible with the current target (``self.target``). For example, check if a certain file exists. Otherwise it should raise an :class:`UnsupportedPluginError`. :raises UnsupportedPluginError: If the plugin could not be loaded. .. py:property:: syskey :type: bytes Return byte value of Windows system SYSKEY, also called BootKey. .. py:property:: lsakey :type: bytes Decrypt and return the LSA key of the Windows system. .. py:method:: secrets() -> collections.abc.Iterator[LSASecretRecord] Yield decrypted LSA secrets from a Windows target.