T1003.002: Security Account Manager
Adversaries may attempt to extract credential material from the Security Account Manager (SAM) database either through in-memory techniques or through the Windows Registry where the SAM database is stored. The SAM is a database file that contains local accounts for the host, typically those found with the net user
command. Enumerating the SAM database requires SYSTEM level access.
A number of tools can be used to retrieve the SAM file through in-memory techniques:
Alternatively, the SAM can be extracted from the Registry with Reg:
reg save HKLM\sam sam
reg save HKLM\system system
Creddump7 can then be used to process the SAM database locally to retrieve hashes.
Notes:
- RID 500 account is the local, built-in administrator.
- RID 501 is the guest account.
- User accounts start with a RID of 1,000+.
Positive Technologies products that cover the technique
MaxPatrol SIEM knowledge base
hacking_tools: PT-CR-585: Impacket_Secretsdump: Use of Impacket Secretsdump is detected
hacking_tools: PT-CR-2118: adPEAS_Usage: The adPEAS script for domain reconnaissance was started
mitre_attck_cred_access: PT-CR-311: Remote_Password_Dump: Remote access to SAMR, WINREG, SVCCTL, and C:\Windows\system32 within 30 seconds of user authentication
vulnerabilities: PT-CR-2236: CVE_2021_36934_HiveNightmare: Exploitation of vulnerability CVE-2021–36934 (HiveNightmare) that allows reading registry hive files from a shadow copy of a disk without administrator privileges
hacking_tools: PT-CR-2237: Go_Secdump_Activity: The go-secdump utility was used, which is a tool built to remotely extract hashes from the registry hives without any remote agent and without touching disk
hacking_tools: PT-CR-758: Lazagne_Usage: Use of the LaZagne tool to dump credentials is detected
mitre_attck_cred_access: PT-CR-1851: Symbolic_Link_To_Shadow_Copy_Created: Attackers can create symbolic links to Windows shadow copies to access files in these links, for example, ntds.dit
mitre_attck_cred_access: PT-CR-2312: MultiDump_Registry_Dump: The MultiDump utility was used to dump SAM, SECURITY, and SYSTEM hives without triggering Defender alerts
mitre_attck_cred_access: PT-CR-298: Access_System_Credential_files_via_cmdline: An attempt to retrieve OS user credentials is detected
mitre_attck_cred_access: PT-CR-301: Credential_Dump_in_Local_Registry: Possible dumping of user credentials is detected
Detection
ID | DS0024 | Data source and component | Windows Registry: Windows Registry Key Access | Description | Monitor for the SAM registry key dump being created to access stored account password hashes. Some hash dumpers will open the local file system as a device and parse to the SAM table to avoid file access defenses. Others will make an in-memory copy of the SAM table before reading hashes. Detection of compromised Valid Accounts in-use by adversaries may help as well. |
---|
ID | DS0022 | Data source and component | File: File Access | Description | Monitor for hash dumpers opening the Security Accounts Manager (SAM) on the local file system ( |
---|
ID | DS0017 | Data source and component | Command: Command Execution | Description | Monitor executed commands and arguments that may attempt to extract credential material from the Security Account Manager (SAM) database either through in-memory techniques or through the Windows Registry where the SAM database is stored. |
---|
ID | DS0022 | Data source and component | File: File Creation | Description | Monitor newly constructed files being written with default names that have extracted credentials from the Security Account Manager. |
---|
Mitigation
ID | M1028 | Name | Operating System Configuration | Description | Consider disabling or restricting NTLM. |
---|
ID | M1027 | Name | Password Policies | Description | Ensure that local administrator accounts have complex, unique passwords across all systems on the network. |
---|
ID | M1026 | Name | Privileged Account Management | Description | Do not put user or admin domain accounts in the local administrator groups across systems unless they are tightly controlled, as this is often equivalent to having a local administrator account with the same password on all systems. Follow best practices for design and administration of an enterprise network to limit privileged account use across administrative tiers. |
---|
ID | M1017 | Name | User Training | Description | Limit credential overlap across accounts and systems by training users and administrators not to use the same password for multiple accounts. |
---|