Find sigma rule

Attack: OS Credential Dumping: Security Account Manager

Adversaries may attempt to extract credential material from the Security Account Manager (SAM) database either through in-memory techniques or through the Windows Registry where the SAM database is stored. The SAM is a database file that contains local accounts for the host, typically those found with the net user command. Enumerating the SAM database requires SYSTEM level access.

A number of tools can be used to retrieve the SAM file through in-memory techniques:

pwdumpx.exe
gsecdump
Mimikatz
secretsdump.py

Alternatively, the SAM can be extracted from the Registry with Reg:

reg save HKLM\sam sam
reg save HKLM\system system

Creddump7 can then be used to process the SAM database locally to retrieve hashes.(Citation: GitHub Creddump7)

Notes:

RID 500 account is the local, built-in administrator.
RID 501 is the guest account.
User accounts start with a RID of 1,000+.

MITRE

Tactic

credential-access

technique

T1003.002

Test : Registry dump of SAM, creds, and secrets

OS

windows

Description:

Local SAM (SAM & System), cached credentials (System & Security) and LSA secrets (System & Security) can be enumerated via three registry keys. Then processed locally using https://github.com/Neohapsis/creddump7

Upon successful execution of this test, you will find three files named, sam, system and security in the %temp% directory.

Executor

command_prompt

Sigma Rule

proc_creation_win_reg_dumping_sensitive_hives.yml (id: fd877b94-9bb5-4191-bb25-d79cbd93c167)
file_event_win_sam_dump.yml (id: 4e87b8e2-2ee9-4b2a-a715-4727d297ece0)

back

sigma_redcanaryco

Knowing which rule should trigger according to the redcannary test