Find sigma rule
Attack: OS Credential Dumping: Security Account Manager
Adversaries may attempt to extract credential material from the Security Account Manager (SAM) database either through in-memory techniques or through the Windows Registry where the SAM database is stored. The SAM is a database file that contains local accounts for the host, typically those found with the net user
command. Enumerating the SAM database requires SYSTEM level access.
A number of tools can be used to retrieve the SAM file through in-memory techniques:
Alternatively, the SAM can be extracted from the Registry with Reg:
reg save HKLM\sam sam
reg save HKLM\system system
Creddump7 can then be used to process the SAM database locally to retrieve hashes.(Citation: GitHub Creddump7)
Notes:
- RID 500 account is the local, built-in administrator.
- RID 501 is the guest account.
- User accounts start with a RID of 1,000+.
MITRE
Tactic
- credential-access
technique
- T1003.002
Test : dump volume shadow copy hives with certutil
OS
- windows
Description:
Dump hives from volume shadow copies with the certutil utility, exploiting a vulnerability known as “HiveNightmare” or “SeriousSAM”. This can be done with a non-admin user account. CVE-2021-36934
Executor
command_prompt
Sigma Rule
-
proc_creation_win_susp_copy_lateral_movement.yml (id: 855bc8b5-2ae8-402e-a9ed-b889e6df1900)
-
proc_creation_win_susp_sensitive_file_access_shadowcopy.yml (id: f57f8d16-1f39-4dcb-a604-6c73d9b54b3d)
-
proc_creation_win_esentutl_sensitive_file_copy.yml (id: e7be6119-fc37-43f0-ad4f-1f3f99be2f9f)
-
image_load_dll_vss_ps_susp_load.yml (id: 333cdbe8-27bb-4246-bf82-b41a0dca4b70)
-
proc_creation_win_certutil_encode.yml (id: e62a9f0c-ca1e-46b2-85d5-a6da77f86d1a)
-
proc_creation_win_susp_shell_spawn_susp_program.yml (id: 3a6586ad-127a-4d3b-a677-1e6eacdf8fde)
-
file_event_win_shell_write_susp_directory.yml (id: 1277f594-a7d1-4f28-a2d3-73af5cbeab43)