T1003.002: Security Account Manager
Adversaries may attempt to extract credential material from the Security Account Manager (SAM) database either through in-memory techniques or through the Windows Registry where the SAM database is stored. The SAM is a database file that contains local accounts for the host, typically those found with the net user
command. Enumerating the SAM database requires SYSTEM level access.
A number of tools can be used to retrieve the SAM file through in-memory techniques:
Alternatively, the SAM can be extracted from the Registry with Reg:
reg save HKLM\sam sam
reg save HKLM\system system
Creddump7 can then be used to process the SAM database locally to retrieve hashes.
Notes:
- RID 500 account is the local, built-in administrator.
- RID 501 is the guest account.
- User accounts start with a RID of 1,000+.
Positive Technologies products that cover the technique
MaxPatrol SIEM knowledge base
vulnerabilities: PT-CR-2236: CVE_2021_36934_HiveNightmare: Exploitation of vulnerability CVE-2021–36934 (HiveNightmare) that allows reading registry hive files from a shadow copy of a disk without administrator privileges active_directory_attacks: PT-CR-2542: RemoteKrbRelay_Usage: A user who is not the connection initiator was authenticated by Kerberos. This may indicate the use of the RemoteKrbRelay utility that allows you to remotely trigger and relay Kerberos authentication in order to gain access to a service with the privilege level of the target account using the CertifiedDCOM and SilverPotato techniques. mitre_attck_cred_access: PT-CR-2312: MultiDump_Registry_Dump: The MultiDump utility was used to dump SAM, SECURITY, and SYSTEM hives without triggering Defender alerts mitre_attck_cred_access: PT-CR-298: Access_System_Credential_Files_Via_Cmdline: An attempt to retrieve OS user credentials is detected mitre_attck_cred_access: PT-CR-1851: Symbolic_Link_To_Shadow_Copy_Created: Attackers can create symbolic links to Windows shadow copies to access files in these links, for example, ntds.dit mitre_attck_cred_access: PT-CR-311: Remote_Password_Dump: Remote access to SAMR, WINREG, SVCCTL, and C:\Windows\system32 within 30 seconds of user authentication mitre_attck_cred_access: PT-CR-2484: SharpSecretsdump_Usage: Signs of the C# SharpSecretsdump utility that is an interpretation of the secretsdump.py utility from Impacket. The utility can only be run locally on hosts without using the Remote Registry service (unlike secretsdump.py), which allows an attacker to bypass existing firewall, EDR, IDS, and other protection system rules and extract secrets from a compromised host. mitre_attck_cred_access: PT-CR-301: Credential_Dump_In_Local_Registry: Possible dumping of user credentials is detected hacking_tools: PT-CR-2237: Go_Secdump_Activity: The go-secdump utility was used, which is a tool built to remotely extract hashes from the registry hives without any remote agent and without touching disk hacking_tools: PT-CR-2118: AdPEAS_Usage: The adPEAS script for domain reconnaissance was started hacking_tools: PT-CR-585: Impacket_Secretsdump: Use of Impacket Secretsdump is detected hacking_tools: PT-CR-758: Lazagne_Usage: Use of the LaZagne tool to dump credentials is detected
Detection
ID | DS0022 | Data source and component | File: File Creation | Description | Monitor newly constructed files being written with default names that have extracted credentials from the Security Account Manager. |
---|
ID | DS0017 | Data source and component | Command: Command Execution | Description | Monitor executed commands and arguments that may attempt to extract credential material from the Security Account Manager (SAM) database either through in-memory techniques or through the Windows Registry where the SAM database is stored. |
---|
ID | DS0022 | Data source and component | File: File Access | Description | Monitor for hash dumpers opening the Security Accounts Manager (SAM) on the local file system ( |
---|
ID | DS0024 | Data source and component | Windows Registry: Windows Registry Key Access | Description | Monitor for the SAM registry key dump being created to access stored account password hashes. Some hash dumpers will open the local file system as a device and parse to the SAM table to avoid file access defenses. Others will make an in-memory copy of the SAM table before reading hashes. Detection of compromised Valid Accounts in-use by adversaries may help as well. |
---|
Mitigation
ID | M1026 | Name | Privileged Account Management | Description | Do not put user or admin domain accounts in the local administrator groups across systems unless they are tightly controlled, as this is often equivalent to having a local administrator account with the same password on all systems. Follow best practices for design and administration of an enterprise network to limit privileged account use across administrative tiers. |
---|
ID | M1017 | Name | User Training | Description | Limit credential overlap across accounts and systems by training users and administrators not to use the same password for multiple accounts. |
---|
ID | M1027 | Name | Password Policies | Description | Ensure that local administrator accounts have complex, unique passwords across all systems on the network. |
---|
ID | M1028 | Name | Operating System Configuration | Description | Consider disabling or restricting NTLM. |
---|