T1003.002

Sub-technique Windows
Security Account Manager

Description

Adversaries may attempt to extract credential material from the Security Account Manager (SAM) database either through in-memory techniques or through the Windows Registry where the SAM database is stored. The SAM is a database file that contains local accounts for the host, typically those found with the <code>net user</code> command.

  • gsecdump
  • Mimikatz
  • secretsdump.py Alternatively, the SAM can be extracted from the Registry with Reg: * <code>reg save HKLM\sam sam</code>
  • <code>reg save HKLM\system system</code> Creddump7 can then be used to process the SAM database locally to retrieve hashes.
  • RID 501 is the guest account.
  • User accounts start with a RID of 1,000+.