Adversaries may attempt to extract credential material from the Security Account Manager (SAM) database either through in-memory techniques or through the Windows Registry where the SAM database is stored. The SAM is a database file that contains local accounts for the host, typically those found with the <code>net user</code> command. Enumerating the SAM database requires SYSTEM level access.
A number of tools can be used to retrieve the SAM file through in-memory techniques:
Alternatively, the SAM can be extracted from the Registry with Reg:
Creddump7 can then be used to process the SAM database locally to retrieve hashes.(Citation: GitHub Creddump7)
Notes:
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| action.malware.variety.Capture stored data | Capture data stored on system disk | related-to | T1003.002 | OS Credential Dumping: Security Account Manager | |
| action.malware.variety.Password dumper | Password dumper (extract credential hashes) | related-to | T1003.002 | OS Credential Dumping: Security Account Manager | |
| action.malware.variety.RAM scraper | RAM scraper or memory parser (capture data from volatile memory) | related-to | T1003.002 | OS Credential Dumping: Security Account Manager | |
| attribute.confidentiality.data_disclosure | None | related-to | T1003.002 | OS Credential Dumping: Security Account Manager |