MITRE ATT&CK / T1003.002
T1003.002
Security Account Manager
Description
Adversaries may attempt to extract credential material from the Security Account Manager (SAM) database either through in-memory techniques or through the Windows Registry where the SAM database is stored. The SAM is a database file that contains local accounts for the host, typically those found with the <code>net user</code> command. Enumerating the SAM database requires SYSTEM level access.A number of tools can be used to retrieve the SAM file through in-memory techniques:* pwdumpx.exe * [gsecdump](https://attack.mitre.org/software/S0008) * [Mimikatz](https://attack.mitre.org/software/S0002) * secretsdump.pyAlternatively, the SAM can be extracted from the Registry with Reg:* <code>reg save HKLM\sam sam</code> * <code>reg save HKLM\system system</code>Creddump7 can then be used to process the SAM database locally to retrieve hashes.(Citation: GitHub Creddump7)Notes:* RID 500 account is the local, built-in administrator. * RID 501 is the guest account. * User accounts start with a RID of 1,000+.
Platforms
Mitigations
- M1027 — Password Policies
- M1026 — Privileged Account Management
- M1028 — Operating System Configuration
- M1017 — User Training
Use our free MITRE ATT&CK lookup tool, or browse the full ATT&CK matrix.
Source: MITRE ATT&CK Enterprise matrix. View on attack.mitre.org →