back

Find sigma rule

Attack: OS Credential Dumping: Security Account Manager

Adversaries may attempt to extract credential material from the Security Account Manager (SAM) database either through in-memory techniques or through the Windows Registry where the SAM database is stored. The SAM is a database file that contains local accounts for the host, typically those found with the net user command. Enumerating the SAM database requires SYSTEM level access.

A number of tools can be used to retrieve the SAM file through in-memory techniques:

• pwdumpx.exe
• gsecdump
• Mimikatz
• secretsdump.py

Alternatively, the SAM can be extracted from the Registry with Reg:

• reg save HKLM\sam sam
• reg save HKLM\system system

Creddump7 can then be used to process the SAM database locally to retrieve hashes.(Citation: GitHub Creddump7)

Notes:

• RID 500 account is the local, built-in administrator.
• RID 501 is the guest account.
• User accounts start with a RID of 1,000+.

MITRE

Tactic

• credential-access

technique

• T1003.002

Test : dump volume shadow copy hives with certutil

OS

• windows

Description:

Dump hives from volume shadow copies with the certutil utility, exploiting a vulnerability known as “HiveNightmare” or “SeriousSAM”. This can be done with a non-admin user account. CVE-2021-36934

Executor

command_prompt

Sigma Rule

• proc_creation_win_susp_copy_lateral_movement.yml (id: 855bc8b5-2ae8-402e-a9ed-b889e6df1900)

• proc_creation_win_susp_sensitive_file_access_shadowcopy.yml (id: f57f8d16-1f39-4dcb-a604-6c73d9b54b3d)

• proc_creation_win_esentutl_sensitive_file_copy.yml (id: e7be6119-fc37-43f0-ad4f-1f3f99be2f9f)

• image_load_dll_vss_ps_susp_load.yml (id: 333cdbe8-27bb-4246-bf82-b41a0dca4b70)

• proc_creation_win_certutil_encode.yml (id: e62a9f0c-ca1e-46b2-85d5-a6da77f86d1a)

• proc_creation_win_susp_shell_spawn_susp_program.yml (id: 3a6586ad-127a-4d3b-a677-1e6eacdf8fde)

• file_event_win_shell_write_susp_directory.yml (id: 1277f594-a7d1-4f28-a2d3-73af5cbeab43)

back