T1003.002 Security Account Manager

Adversaries may attempt to extract credential material from the Security Account Manager (SAM) database either through in-memory techniques or through the Windows Registry where the SAM database is stored. The SAM is a database file that contains local accounts for the host, typically those found with the <code>net user</code> command. Enumerating the SAM database requires SYSTEM level access.

A number of tools can be used to retrieve the SAM file through in-memory techniques:

Alternatively, the SAM can be extracted from the Registry with Reg:

  • <code>reg save HKLM\sam sam</code>
  • <code>reg save HKLM\system system</code>

Creddump7 can then be used to process the SAM database locally to retrieve hashes.(Citation: GitHub Creddump7)

Notes:

  • RID 500 account is the local, built-in administrator.
  • RID 501 is the guest account.
  • User accounts start with a RID of 1,000+.
View in MITRE ATT&CK®

CRI Profile Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
PR.PS-01.01 Configuration baselines Mitigates T1003.002 Security Account Manager
Comments
This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation.
References
    PR.PS-01.02 Least functionality Mitigates T1003.002 Security Account Manager
    Comments
    This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques.
    References
      DE.CM-06.02 Third-party access monitoring Mitigates T1003.002 Security Account Manager
      Comments
      This diagnostic statement protects against Security Account Manager through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems.
      References
        PR.PS-01.03 Configuration deviation Mitigates T1003.002 Security Account Manager
        Comments
        This diagnostic statement provides protection from OS Credential Dumping: Security Account Manager through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baseline configuration of the Operating System and integrity checking can help protect against adversaries attempting to compromise and elevate privileges.
        References
          PR.AA-01.01 Identity and credential management Mitigates T1003.002 Security Account Manager
          Comments
          This diagnostic statement protects against Security Account Manager through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
          References

            NIST 800-53 Mappings

            Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
            CA-07 Continuous Monitoring mitigates T1003.002 Security Account Manager
            CM-06 Configuration Settings mitigates T1003.002 Security Account Manager
            CM-05 Access Restrictions for Change mitigates T1003.002 Security Account Manager
            IA-05 Authenticator Management mitigates T1003.002 Security Account Manager
            SC-28 Protection of Information at Rest mitigates T1003.002 Security Account Manager
            SC-39 Process Isolation mitigates T1003.002 Security Account Manager
            SI-03 Malicious Code Protection mitigates T1003.002 Security Account Manager
            CM-02 Baseline Configuration mitigates T1003.002 Security Account Manager
            IA-02 Identification and Authentication (Organizational Users) mitigates T1003.002 Security Account Manager
            CM-07 Least Functionality mitigates T1003.002 Security Account Manager
            SI-04 System Monitoring mitigates T1003.002 Security Account Manager
            AC-02 Account Management mitigates T1003.002 Security Account Manager
            AC-03 Access Enforcement mitigates T1003.002 Security Account Manager
            AC-05 Separation of Duties mitigates T1003.002 Security Account Manager
            AC-06 Least Privilege mitigates T1003.002 Security Account Manager