T1003.002: Security Account Manager
| View on MITRE ATT&CK | T1003.002 |
|---|---|
| Tactic(s) | Credential Access |
Data from MITRE ATT&CK®:
Adversaries may attempt to extract credential material from the Security Account Manager (SAM) database either through in-memory techniques or through the Windows Registry where the SAM database is stored. The SAM is a database file that contains local accounts for the host, typically those found with the net user command. Enumerating the SAM database requires SYSTEM level access.
A number of tools can be used to retrieve the SAM file through in-memory techniques:
Alternatively, the SAM can be extracted from the Registry with Reg:
reg save HKLM\sam samreg save HKLM\system system
Creddump7 can then be used to process the SAM database locally to retrieve hashes.(Citation: GitHub Creddump7)
Notes:
- RID 500 account is the local, built-in administrator.
- RID 501 is the guest account.
- User accounts start with a RID of 1,000+.
© 2024 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.
Cyber Threat Graph Context
Explore how this ATT&CK Technique relates to the wider threat graph
Reporting on this Technique
Russian Foreign Intelligence Service (SVR) Exploiting JetBrains TeamCity CVE Globally
This Cybersecurity Advisory by CISA with US and international partners outlines activity which they link to APT29 (also known as The Dukes, Cozy ...
Earth Krahang Exploits Intergovernmental Trust to Launch Cross-Government Attacks
This article by researchers at Trend Micro discusses an Advanced Persistent Threat (APT) group they name Earth Krahang who have been observed ...
Mitigations for this technique
MITRE ATT&CK Mitigations
Privileged Account Management
Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.Operating System Configuration
Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.Password Policies
Set and enforce secure password policies for accounts.User Training
Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.How to detect this technique
MITRE ATT&CK Data Components
File Access (File)
Opening a file, which makes the file contents available to the requestor (ex: Windows EID 4663)Command Execution (Command)
The execution of a line of text, potentially with arguments, created from program code (e.g. a cmdlet executed via powershell.exe, interactive commands like >dir, shell executions, etc. )Windows Registry Key Access (Windows Registry)
Opening a Registry Key, typically to read the associated value (ex: Windows EID 4656)File Creation (File)
Initial construction of a new file (ex: Sysmon EID 11)Control Validation Tests for this Technique
Use Atomic Red Team tests to test your defenses against this technique.
dump volume shadow copy hives with certutil
WinPwn - Loot local Credentials - Dump SAM-File for NTLM Hashes
Registry parse with pypykatz
dump volume shadow copy hives with System.IO.File
Registry dump of SAM, creds, and secrets
esentutl.exe SAM copy
PowerDump Hashes and Usernames from Registry
Sigma Detections for this Technique
Credential Dumping Tools Service Execution - System
Critical Hive In Suspicious Location Access Bits Cleared
Dumping of Sensitive Hives Via Reg.EXE
Copying Sensitive Files with Credential Data
HackTool - Quarks PwDump Execution
Transferring Files with Credential Data via Network Shares
Potential SAM Database Dump
Credential Dumping Tools Service Execution - Security
QuarksPwDump Dump File
Transferring Files with Credential Data via Network Shares - Zeek
PowerShell SAM Copy
Esentutl Volume Shadow Copy Service Keys
NTDS.DIT Creation By Uncommon Process
Cred Dump Tools Dropped Files
Possible Impacket SecretDump Remote Activity
Volume Shadow Copy Mount
Shadow Copies Creation Using Operating Systems Utilities
Mimikatz Use
VolumeShadowCopy Symlink Creation Via Mklink
HackTool - Credential Dumping Tools Named Pipe Created
Antivirus Password Dumper Detection
Possible Impacket SecretDump Remote Activity - Zeek
HackTool - Pypykatz Credentials Dumping Activity
VSSAudit Security Event Source Registration
HackTool - Mimikatz Execution
SP800-53 Controls
See which controls can help protect against this MITRE ATT&CK technique. This is based on mappings to associated SP800-53 controls produced by the MITRE Engenuity Center for Threat-Informed Defense.