#T1003.002 Security Account Manager

Technique

  • Tactics: Credential Access
  • Description:

    Adversaries may attempt to extract credential material from the Security Account Manager (SAM) database either through in-memory techniques or through the Windows Registry where the SAM database is stored. The SAM is a database file that contains local accounts for the host, typically those found with the net user command. Enumerating the SAM database requires SYSTEM level access.

    A number of tools can be used to retrieve the SAM file through in-memory techniques:

    Alternatively, the SAM can be extracted from the Registry with Reg:

    • reg save HKLM\sam sam
    • reg save HKLM\system system

    Creddump7 can then be used to process the SAM database locally to retrieve hashes.(Citation: GitHub Creddump7)

    Notes:

    • RID 500 account is the local, built-in administrator.
    • RID 501 is the guest account.
    • User accounts start with a RID of 1,000+.
  • First Seen: Lazarus covets COVID-19-related intelligence • 2020-12-23
MITRE ATT&CK

Tagged Reports

2023-01-05
Attack IQ
#Trend #DreamJob #Inception #MagicRAT #Sharpshooter #ThreatNeedle #T1025 #T1047 #T1012 #T1016 #T1543.003 #T1057 #T1082 #T1552.002 #T1074.001 #T1572 #T1218.011 #T1547.001 #T1049 #T1003.002 #T1053.005 #T1041 #T1048.001 #T1105 #T1071.001 #T1220 #T1046 #T1218.010 #T1055 #T1112 #T1083 #T1007 #T1033 #T1036.005 #T1003
2021-05-21
Macnica
#Trend #CloudDragon #T1055.012 #T1047 #T1027 #T1560.001 #T1543.003 #T1071 #T1482 #T1518.001 #T1566.001 #T1053.002 #T1218.011 #T1547.001 #T1140 #T1087.002 #T1003.002 #T1053.005 #T1204.002 #T1070.001 #T1071.001 #T1574.001 #T1574.002 #T1003.003 #T1059.001 #T1036.005 #T1133 #T1021.001
2020-12-23
Kaspersky
#COVID-19 #Lazarus #T1055.001 #T1140 #T1059.003 #T1547.005 #T1027.001 #T1003.002 #T1041 #T1132.001 #T1033 #T1021.002 #T1543.003 #T1049 #T1071.001 #T1070.006 #T1569.002 #T1082
« Back