Skip to main content

Overview

The LSASettings command enumerates Local Security Authority (LSA) configuration settings, including authentication packages, security packages, and LSA protection status. These settings are critical for understanding credential storage and authentication mechanisms.

Syntax

Seatbelt.exe LSASettings

Remote Execution

Seatbelt.exe LSASettings -computername=TARGET.domain.com [-username=DOMAIN\user -password=pass]

Output

Returns LSA configuration including:
  • Authentication packages
  • Security packages
  • Notification packages
  • LSA protection status (RunAsPPL)
  • WDigest credential caching
  • Token filtering policy

Use Cases

  • Red Team
  • Blue Team
  • Determine if WDigest is enabled (plaintext creds in memory)
  • Check LSA protection status (PPL)
  • Identify authentication packages
  • Assess credential dumping difficulty
  • Plan credential access techniques

Example Output

====== LSASettings ======

Authentication Packages:
  msv1_0
  kerberos
  negotiate

Security Packages:
  kerberos
  msv1_0
  tspkg
  wdigest
  cloudap

LSA Protection (RunAsPPL): Enabled
WDigest UseLogonCredential: 0 (Disabled)

Remote Execution

This command supports remote execution using the -computername parameter.

Detection Considerations

Low detection risk - reads LSA registry settings.