- Tactics
- Credential Access
- Platforms
- Windows
- Reference
- attack.mitre.org/techniques/T1003.002
Description
Adversaries may attempt to extract credential material from the Security Account Manager (SAM) database either through in-memory techniques or through the Windows Registry where the SAM database is stored. The SAM is a database file that contains local accounts for the host, typically those found with the net user command. Enumerating the SAM database requires SYSTEM level access.
A number of tools can be used to retrieve the SAM file through in-memory techniques:
Alternatively, the SAM can be extracted from the Registry with Reg:
reg save HKLM\sam samreg save HKLM\system system
Creddump7 can then be used to process the SAM database locally to retrieve hashes.(Citation: GitHub Creddump7)
Notes:
- RID 500 account is the local, built-in administrator.
- RID 501 is the guest account.
- User accounts start with a RID of 1,000+.
How GTK Cyber trains on this
GTK Cyber's Threat Hunting with Data Science course teaches you to build machine-learning detections for techniques like this across the MITRE ATT&CK framework, including the Credential Access tactic this technique falls under. Practitioner-led, focused on real detections, not memorizing technique IDs.
Related techniques
- T1003 — OS Credential Dumping
- T1040 — Network Sniffing
- T1056 — Input Capture
- T1110 — Brute Force
- T1111 — Multi-Factor Authentication Interception
- T1187 — Forced Authentication
- T1212 — Exploitation for Credential Access
- T1528 — Steal Application Access Token
- T1539 — Steal Web Session Cookie
- T1552 — Unsecured Credentials
- T1555 — Credentials from Password Stores
- T1556 — Modify Authentication Process