T1003.002 Security Account Manager

Adversaries may attempt to extract credential material from the Security Account Manager (SAM) database either through in-memory techniques or through the Windows Registry where the SAM database is stored. The SAM is a database file that contains local accounts for the host, typically those found with the <code>net user</code> command. Enumerating the SAM database requires SYSTEM level access.

A number of tools can be used to retrieve the SAM file through in-memory techniques:

Alternatively, the SAM can be extracted from the Registry with Reg:

  • <code>reg save HKLM\sam sam</code>
  • <code>reg save HKLM\system system</code>

Creddump7 can then be used to process the SAM database locally to retrieve hashes.(Citation: GitHub Creddump7)

Notes:

  • RID 500 account is the local, built-in administrator.
  • RID 501 is the guest account.
  • User accounts start with a RID of 1,000+.
View in MITRE ATT&CK®

NIST 800-53 Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
AC-02 Account Management Protects T1003.002 Security Account Manager
AC-03 Access Enforcement Protects T1003.002 Security Account Manager
AC-05 Separation of Duties Protects T1003.002 Security Account Manager
AC-06 Least Privilege Protects T1003.002 Security Account Manager
CA-07 Continuous Monitoring Protects T1003.002 Security Account Manager
CM-02 Baseline Configuration Protects T1003.002 Security Account Manager
CM-05 Access Restrictions for Change Protects T1003.002 Security Account Manager
CM-06 Configuration Settings Protects T1003.002 Security Account Manager
CM-07 Least Functionality Protects T1003.002 Security Account Manager
IA-02 Identification and Authentication (organizational Users) Protects T1003.002 Security Account Manager
IA-05 Authenticator Management Protects T1003.002 Security Account Manager
SC-28 Protection of Information at Rest Protects T1003.002 Security Account Manager
SC-39 Process Isolation Protects T1003.002 Security Account Manager
SI-03 Malicious Code Protection Protects T1003.002 Security Account Manager
SI-04 System Monitoring Protects T1003.002 Security Account Manager