OS Credential Dumping: Security Account Manager (T1003.002)

Tactic: Credential Access · Platforms: Windows

The interactive view maps 1 detection strategy, 4 mitigations, 14 threat groups, 15 software entries, 7 campaigns to this technique, alongside D3FEND countermeasures and data-component coverage.

Sub-technique of OS Credential Dumping (T1003).

Overview

Adversaries may attempt to extract credential material from the Security Account Manager (SAM) database either through in-memory techniques or through the Windows Registry where the SAM database is stored. The SAM is a database file that contains local accounts for the host, typically those found with the net user command. Enumerating the SAM database requires SYSTEM level access.

A number of tools can be used to retrieve the SAM file through in-memory techniques:

* pwdumpx.exe * gsecdump * Mimikatz * secretsdump.py

Alternatively, the SAM can be extracted from the Registry with Reg:

* reg save HKLM\sam sam * reg save HKLM\system system

Creddump7 can then be used to process the SAM database locally to retrieve hashes.

Notes:

* RID 500 account is the local, built-in administrator. * RID 501 is the guest account. * User accounts start with a RID of 1,000+.

Explore