Find sigma rule
Attack: OS Credential Dumping: Security Account Manager
Adversaries may attempt to extract credential material from the Security Account Manager (SAM) database either through in-memory techniques or through the Windows Registry where the SAM database is stored. The SAM is a database file that contains local accounts for the host, typically those found with the net user
command. Enumerating the SAM database requires SYSTEM level access.
A number of tools can be used to retrieve the SAM file through in-memory techniques:
Alternatively, the SAM can be extracted from the Registry with Reg:
reg save HKLM\sam sam
reg save HKLM\system system
Creddump7 can then be used to process the SAM database locally to retrieve hashes.(Citation: GitHub Creddump7)
Notes:
- RID 500 account is the local, built-in administrator.
- RID 501 is the guest account.
- User accounts start with a RID of 1,000+.
MITRE
Tactic
- credential-access
technique
- T1003.002
Test : dump volume shadow copy hives with System.IO.File
OS
- windows
Description:
Dump hives from volume shadow copies with System.IO.File. CVE-2021-36934
Executor
powershell
Sigma Rule
-
proc_creation_win_susp_sensitive_file_access_shadowcopy.yml (id: f57f8d16-1f39-4dcb-a604-6c73d9b54b3d)
-
proc_creation_win_powershell_sam_access.yml (id: 1af57a4b-460a-4738-9034-db68b880c665)
-
proc_creation_win_esentutl_sensitive_file_copy.yml (id: e7be6119-fc37-43f0-ad4f-1f3f99be2f9f)
-
proc_creation_win_susp_copy_lateral_movement.yml (id: 855bc8b5-2ae8-402e-a9ed-b889e6df1900)