OS Credential Dumping: Security Account Manager (T1003.002)
Tactic: Credential Access · Platforms: Windows
The interactive view maps 1 detection strategy, 4 mitigations, 14 threat groups, 15 software entries, 7 campaigns to this technique, alongside D3FEND countermeasures and data-component coverage.
Sub-technique of OS Credential Dumping (T1003).
Overview
Adversaries may attempt to extract credential material from the Security Account Manager (SAM) database either through in-memory techniques or through the Windows Registry where the SAM database is stored. The SAM is a database file that contains local accounts for the host, typically those found with the net user command. Enumerating the SAM database requires SYSTEM level access.
A number of tools can be used to retrieve the SAM file through in-memory techniques:
* pwdumpx.exe * gsecdump * Mimikatz * secretsdump.py
Alternatively, the SAM can be extracted from the Registry with Reg:
* reg save HKLM\sam sam * reg save HKLM\system system
Creddump7 can then be used to process the SAM database locally to retrieve hashes.
Notes:
* RID 500 account is the local, built-in administrator. * RID 501 is the guest account. * User accounts start with a RID of 1,000+.