MaxPatrol SIEM

Detects cyberincidents that undermine cyber resilience of a company

T1003.002: Security Account Manager

Adversaries may attempt to extract credential material from the Security Account Manager (SAM) database either through in-memory techniques or through the Windows Registry where the SAM database is stored. The SAM is a database file that contains local accounts for the host, typically those found with the net user command. Enumerating the SAM database requires SYSTEM level access.

A number of tools can be used to retrieve the SAM file through in-memory techniques:

Alternatively, the SAM can be extracted from the Registry with Reg:

  • reg save HKLM\sam sam
  • reg save HKLM\system system

Creddump7 can then be used to process the SAM database locally to retrieve hashes.

Notes:

  • RID 500 account is the local, built-in administrator.
  • RID 501 is the guest account.
  • User accounts start with a RID of 1,000+.

Positive Technologies products that cover the technique

MaxPatrol SIEM knowledge base

hacking_tools: PT-CR-585: Impacket_Secretsdump: Use of Impacket Secretsdump is detected
hacking_tools: PT-CR-2118: adPEAS_Usage: The adPEAS script for domain reconnaissance was started
mitre_attck_cred_access: PT-CR-311: Remote_Password_Dump: Remote access to SAMR, WINREG, SVCCTL, and C:\Windows\system32 within 30 seconds of user authentication
vulnerabilities: PT-CR-2236: CVE_2021_36934_HiveNightmare: Exploitation of vulnerability CVE-2021–36934 (HiveNightmare) that allows reading registry hive files from a shadow copy of a disk without administrator privileges
hacking_tools: PT-CR-2237: Go_Secdump_Activity: The go-secdump utility was used, which is a tool built to remotely extract hashes from the registry hives without any remote agent and without touching disk
hacking_tools: PT-CR-758: Lazagne_Usage: Use of the LaZagne tool to dump credentials is detected
mitre_attck_cred_access: PT-CR-1851: Symbolic_Link_To_Shadow_Copy_Created: Attackers can create symbolic links to Windows shadow copies to access files in these links, for example, ntds.dit
mitre_attck_cred_access: PT-CR-2312: MultiDump_Registry_Dump: The MultiDump utility was used to dump SAM, SECURITY, and SYSTEM hives without triggering Defender alerts
mitre_attck_cred_access: PT-CR-298: Access_System_Credential_files_via_cmdline: An attempt to retrieve OS user credentials is detected
mitre_attck_cred_access: PT-CR-301: Credential_Dump_in_Local_Registry: Possible dumping of user credentials is detected

Detection

IDDS0024Data source and componentWindows Registry: Windows Registry Key AccessDescription

Monitor for the SAM registry key dump being created to access stored account password hashes. Some hash dumpers will open the local file system as a device and parse to the SAM table to avoid file access defenses. Others will make an in-memory copy of the SAM table before reading hashes. Detection of compromised Valid Accounts in-use by adversaries may help as well.

IDDS0022Data source and componentFile: File AccessDescription

Monitor for hash dumpers opening the Security Accounts Manager (SAM) on the local file system (%SystemRoot%/system32/config/SAM). Some hash dumpers will open the local file system as a device and parse to the SAM table to avoid file access defenses. Others will make an in-memory copy of the SAM table before reading hashes. Detection of compromised Valid Accounts in-use by adversaries may help as well.

IDDS0017Data source and componentCommand: Command ExecutionDescription

Monitor executed commands and arguments that may attempt to extract credential material from the Security Account Manager (SAM) database either through in-memory techniques or through the Windows Registry where the SAM database is stored.

IDDS0022Data source and componentFile: File CreationDescription

Monitor newly constructed files being written with default names that have extracted credentials from the Security Account Manager.

Mitigation

IDM1028NameOperating System ConfigurationDescription

Consider disabling or restricting NTLM.

IDM1027NamePassword PoliciesDescription

Ensure that local administrator accounts have complex, unique passwords across all systems on the network.

IDM1026NamePrivileged Account ManagementDescription

Do not put user or admin domain accounts in the local administrator groups across systems unless they are tightly controlled, as this is often equivalent to having a local administrator account with the same password on all systems. Follow best practices for design and administration of an enterprise network to limit privileged account use across administrative tiers.

IDM1017NameUser TrainingDescription

Limit credential overlap across accounts and systems by training users and administrators not to use the same password for multiple accounts.