Find sigma rule
Attack: OS Credential Dumping: Security Account Manager
Adversaries may attempt to extract credential material from the Security Account Manager (SAM) database either through in-memory techniques or through the Windows Registry where the SAM database is stored. The SAM is a database file that contains local accounts for the host, typically those found with the net user
command. Enumerating the SAM database requires SYSTEM level access.
A number of tools can be used to retrieve the SAM file through in-memory techniques:
Alternatively, the SAM can be extracted from the Registry with Reg:
reg save HKLM\sam sam
reg save HKLM\system system
Creddump7 can then be used to process the SAM database locally to retrieve hashes.(Citation: GitHub Creddump7)
Notes:
- RID 500 account is the local, built-in administrator.
- RID 501 is the guest account.
- User accounts start with a RID of 1,000+.
MITRE
Tactic
- credential-access
technique
- T1003.002
Test : esentutl.exe SAM copy
OS
- windows
Description:
Copy the SAM hive using the esentutl.exe utility This can also be used to copy other files and hives like SYSTEM, NTUSER.dat etc.
Executor
command_prompt
Sigma Rule
-
proc_creation_win_esentutl_sensitive_file_copy.yml (id: e7be6119-fc37-43f0-ad4f-1f3f99be2f9f)
-
image_load_dll_vss_ps_susp_load.yml (id: 333cdbe8-27bb-4246-bf82-b41a0dca4b70)