Security Account Manager (SAM)
https://attack.mitre.org/techniques/T1003/002/
ATT&CK ID: T1003.002
Permissions Required: SYSTEM
Description
Adversaries may attempt to extract credential material from the Security Account Manager (SAM) database either through in-memory techniques or through the Windows Registry where the SAM database is stored. The SAM is a database file that contains local accounts for the host, typically those found with the net user
command. Enumerating the SAM database requires SYSTEM level access.
Linux Techniques
Crackmapexec
Secretsdump
Windows Techniques
DumpSam
This tool will filter out some default accounts such as Guest and the wdagutilityaccount account from the results.
Github: https://github.com/The-Viper-One/PME-Scripts/blob/main/DumpSAM.ps1
HiveDump
Github: https://github.com/tmenochet/PowerDump/blob/master/HiveDump.ps1
Mimikatz
Metasploit
Mitigation
LAPS
The "Local Administrator Password Solution" (LAPS) provides management of local account passwords of domain joined computers. Passwords are stored in Active Directory (AD) and protected by ACL, so only eligible users can read it or request its reset.
Restrict NTLM Traffic
Last updated