Find sigma rule

Attack: OS Credential Dumping: Security Account Manager

Adversaries may attempt to extract credential material from the Security Account Manager (SAM) database either through in-memory techniques or through the Windows Registry where the SAM database is stored. The SAM is a database file that contains local accounts for the host, typically those found with the net user command. Enumerating the SAM database requires SYSTEM level access.

A number of tools can be used to retrieve the SAM file through in-memory techniques:

pwdumpx.exe
gsecdump
Mimikatz
secretsdump.py

Alternatively, the SAM can be extracted from the Registry with Reg:

reg save HKLM\sam sam
reg save HKLM\system system

Creddump7 can then be used to process the SAM database locally to retrieve hashes.(Citation: GitHub Creddump7)

Notes:

RID 500 account is the local, built-in administrator.
RID 501 is the guest account.
User accounts start with a RID of 1,000+.

MITRE

Tactic

credential-access

technique

T1003.002

Test : PowerDump Hashes and Usernames from Registry

OS

windows

Description:

Executes a hashdump by reading the hashes from the registry.

Executor

powershell

Sigma Rule

posh_ps_set_policies_to_unsecure_level.yml (id: 61d0475c-173f-4844-86f7-f3eebae1c66b)
posh_ps_web_request_cmd_and_cmdlets.yml (id: 1139d2e2-84b1-4226-b445-354492eba8ba)
posh_ps_malicious_commandlets.yml (id: 89819aa4-bbd6-46bc-88ec-c7f7fe30efa6)
posh_ps_malicious_keywords.yml (id: f62176f3-8128-4faa-bf6c-83261322e5eb)
posh_ps_win_api_susp_access.yml (id: 03d83090-8cba-44a0-b02f-0b756a050306)

back

sigma_redcanaryco

Knowing which rule should trigger according to the redcannary test