Description
Adversaries may attempt to extract credential material from the Security Account Manager (SAM) database either through in-memory techniques or through the Windows Registry where the SAM database is stored. The SAM is a database file that contains local accounts for the host, typically those found with the net user command. Enumerating the SAM database requires SYSTEM level access.
A number of tools can be used to retrieve the SAM file through in-memory techniques:
pwdumpx.exe gsecdump Mimikatz secretsdump.py
Alternatively, the SAM can be extracted from the Registry with Reg:
reg save HKLM\sam sam
reg save HKLM\system system
Creddump7 can then be used to process the SAM database locally to retrieve hashes.(Citation: GitHub Creddump7)
Notes:
RID 500 account is the local, built-in administrator. RID 501 is the guest account. * User accounts start with a RID of 1,000+.
Mimikatz Tutorial
Read our in-depth pentesting guide related to this technique
Platforms
Mitigations (4)
Password PoliciesM1027
Ensure that local administrator accounts have complex, unique passwords across all systems on the network.
Privileged Account ManagementM1026
Do not put user or admin domain accounts in the local administrator groups across systems unless they are tightly controlled, as this is often equivalent to having a local administrator account with the same password on all systems. Follow best practices for design and administration of an enterprise network to limit privileged account use across administrative tiers.
Operating System ConfigurationM1028
Consider disabling or restricting NTLM.(Citation: Microsoft Disable NTLM Nov 2012)
User TrainingM1017
Limit credential overlap across accounts and systems by training users and administrators not to use the same password for multiple accounts.
Threat Groups (14)
| ID | Group | Context |
|---|---|---|
| G1034 | Daggerfly | [Daggerfly](https://attack.mitre.org/groups/G1034) used [Reg](https://attack.mitre.org/software/S0075) to dump the Security Account Manager (SAM) hive... |
| G0093 | GALLIUM | [GALLIUM](https://attack.mitre.org/groups/G0093) used <code>reg</code> commands to dump specific hives from the Windows Registry, such as the SAM hive... |
| G0016 | APT29 | [APT29](https://attack.mitre.org/groups/G0016) has used the `reg save` command to save registry hives.(Citation: Mandiant APT29 Eye Spy Email Nov 22) |
| G1016 | FIN13 | [FIN13](https://attack.mitre.org/groups/G1016) has extracted the SAM and SYSTEM registry hives using the `reg.exe` binary for obtaining password hashe... |
| G1054 | MirrorFace | [MirrorFace](https://attack.mitre.org/groups/G1054) has used vssadmin to copy registry hives including SAM.(Citation: Trend Micro Earth Kasha NOV 2024... |
| G0035 | Dragonfly | [Dragonfly](https://attack.mitre.org/groups/G0035) has dropped and executed SecretsDump to dump password hashes.(Citation: US-CERT TA18-074A) |
| G0004 | Ke3chang | [Ke3chang](https://attack.mitre.org/groups/G0004) has dumped credentials, including by using gsecdump.(Citation: Mandiant Operation Ke3chang November ... |
| G1030 | Agrius | [Agrius](https://attack.mitre.org/groups/G1030) dumped the SAM file on victim machines to capture credentials.(Citation: Unit42 Agrius 2023) |
| G0096 | APT41 | [APT41](https://attack.mitre.org/groups/G0096) extracted user account data from the Security Account Managerr (SAM), making a copy of this database fr... |
| G1023 | APT5 | [APT5](https://attack.mitre.org/groups/G1023) has copied and exfiltrated the SAM Registry hive from targeted systems.(Citation: Mandiant Pulse Secure ... |
| G0045 | menuPass | [menuPass](https://attack.mitre.org/groups/G0045) has used a modified version of pentesting tools wmiexec.vbs and secretsdump.py to dump credentials.(... |
| G0027 | Threat Group-3390 | [Threat Group-3390](https://attack.mitre.org/groups/G0027) actors have used [gsecdump](https://attack.mitre.org/software/S0008) to dump credentials. T... |
| G0102 | Wizard Spider | [Wizard Spider](https://attack.mitre.org/groups/G0102) has acquired credentials from the SAM/SECURITY registry hives.(Citation: FireEye KEGTAP SINGLEM... |
| G1003 | Ember Bear | [Ember Bear](https://attack.mitre.org/groups/G1003) acquires victim credentials by extracting registry hives such as the Security Account Manager thro... |
Associated Software (15)
| ID | Name | Type | Context |
|---|---|---|---|
| S0488 | CrackMapExec | Tool | [CrackMapExec](https://attack.mitre.org/software/S0488) can dump usernames and hashed passwords from the SAM.(Citation: CME Github September 2018) |
| S0008 | gsecdump | Tool | [gsecdump](https://attack.mitre.org/software/S0008) can dump Windows password hashes from the SAM.(Citation: Microsoft Gsecdump) |
| S0250 | Koadic | Tool | [Koadic](https://attack.mitre.org/software/S0250) can gather hashed passwords by dumping SAM/SECURITY hive.(Citation: Github Koadic) |
| S0006 | pwdump | Tool | [pwdump](https://attack.mitre.org/software/S0006) can be used to dump credentials from the SAM.(Citation: Wikipedia pwdump) |
| S0376 | HOPLIGHT | Malware | [HOPLIGHT](https://attack.mitre.org/software/S0376) has the capability to harvest credentials and passwords from the SAM database.(Citation: US-CERT H... |
| S0002 | Mimikatz | Tool | [Mimikatz](https://attack.mitre.org/software/S0002) performs credential dumping to obtain account and password information useful in gaining access to... |
| S0125 | Remsec | Malware | [Remsec](https://attack.mitre.org/software/S0125) can dump the SAM database.(Citation: Kaspersky ProjectSauron Technical Analysis) |
| S0046 | CozyCar | Malware | Password stealer and NTLM stealer modules in [CozyCar](https://attack.mitre.org/software/S0046) harvest stored credentials from the victim, including ... |
| S0080 | Mivast | Malware | [Mivast](https://attack.mitre.org/software/S0080) has the capability to gather NTLM password information.(Citation: Symantec Backdoor.Mivast) |
| S0357 | Impacket | Tool | SecretsDump and [Mimikatz](https://attack.mitre.org/software/S0002) modules within [Impacket](https://attack.mitre.org/software/S0357) can perform cre... |
| S0371 | POWERTON | Malware | [POWERTON](https://attack.mitre.org/software/S0371) has the ability to dump password hashes.(Citation: FireEye APT33 Guardrail) |
| S0050 | CosmicDuke | Malware | [CosmicDuke](https://attack.mitre.org/software/S0050) collects Windows account hashes.(Citation: F-Secure The Dukes) |
| S0154 | Cobalt Strike | Malware | [Cobalt Strike](https://attack.mitre.org/software/S0154) can recover hashed passwords.(Citation: cobaltstrike manual) |
| S1022 | IceApple | Malware | [IceApple](https://attack.mitre.org/software/S1022)'s Credential Dumper module can dump encrypted password hashes from SAM registry keys, including `H... |
| S0120 | Fgdump | Tool | [Fgdump](https://attack.mitre.org/software/S0120) can dump Windows password hashes.(Citation: Mandiant APT1) |
Related CWE Weaknesses
References
Frequently Asked Questions
What is T1003.002 (Security Account Manager)?
T1003.002 is a MITRE ATT&CK technique named 'Security Account Manager'. It belongs to the Credential Access tactic(s). Adversaries may attempt to extract credential material from the Security Account Manager (SAM) database either through in-memory techniques or through the Windows Registry where the SAM database is st...
How can T1003.002 be detected?
Detection of T1003.002 (Security Account Manager) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1003.002?
There are 4 documented mitigations for T1003.002. Key mitigations include: Password Policies, Privileged Account Management, Operating System Configuration, User Training.
Which threat groups use T1003.002?
Known threat groups using T1003.002 include: Daggerfly, GALLIUM, APT29, FIN13, MirrorFace, Dragonfly, Ke3chang, Agrius.