Keypoints
- SAM stores local account hashes and requires SYSTEM privileges to enumerate.
- Adversaries use tools like Mimikatz, pwdumpx, gsecdump, and secretsdump.py to extract hashes.
- Attackers may dump SAM from disk (%SystemRoot%/system32/config/SAM) or registry via reg save.
- Some tools create in-memory copies or access the disk device to bypass file protections.
- Detection sources include command execution, file access/creation, and Windows registry key access logs.
Description:
- Like a thief cracking a house safe, attackers try to open the SAM to steal credential “keys” that let them move freely across a system.
- Adversaries obtain the SAM database from disk or registry (or by reading it in memory) to extract password hashes. With these hashes they can perform pass-the-hash, offline cracking, or create forged tokens, enabling lateral movement, privilege escalation, and long-term access.
Detection:
- Log and alert on attempts to read or open %SystemRoot%/system32/config/SAM by non-system processes using file-access auditing (enable Advanced File Audit).
- Monitor reg save and similar commands (process creation logging) that export HKLMSAM or HKLMSYSTEM and alert on suspicious usage.
- Use EDR to detect Mimikatz, pwdumpx, secretsdump, gsecdump, and Creddump7 signatures, and flag in-memory LSADUMP or SAM parsing behaviors.
- Collect and analyze Windows Registry Key Access events (ETW/Windows Audit) for unexpected access to SAM registry keys; correlate with process and user context to reduce false positives.
- Inspect for processes opening the physical disk device or using raw file parsing techniques; treat unusual device handles from user processes as high risk.
- Hunt for lateral movement indicators and unusual use of valid accounts (T1078) after suspected dumps; correlate with authentication logs and Kerberos/NTLM activity to confirm abuse.
- Reduce false positives by baselining legitimate backup, AV, and forensic tool behavior; create allowlists for known admin maintenance tasks and block known dumpers at process/executable level.
Tactics:
Credential Access
Platforms:
Windows
Data Sources:
Command: Command Execution, File: File Access, File: File Creation, Windows Registry: Windows Registry Key Access
Relationship Citations:
(Citation: US-CERT TA18-074A),(Citation: Mandiant APT1),(Citation: McAfee Night Dragon),(Citation: CrowdStrike IceApple May 2022),(Citation: NCSC Joint Report Public Tools),(Citation: Wikipedia pwdump),(Citation: Mandiant Pulse Secure Update May 2021),(Citation: Directory Services Internals DPAPI Backup Keys Oct 2015),(Citation: Rostovcev APT41 2021),(Citation: US-CERT HOPLIGHT Apr 2019),(Citation: Mandiant APT29 Eye Spy Email Nov 22),(Citation: Sygnia Elephant Beetle Jan 2022),(Citation: Nearest Neighbor Volexity),(Citation: GitHub Mimikatz lsadump Module),(Citation: F-Secure The Dukes),(Citation: CISA GRU29155 2024),(Citation: Dragos FROSTYGOOP 2024),(Citation: Symantec Daggerfly 2023),(Citation: FireEye APT33 Guardrail),(Citation: Microsoft Gsecdump),(Citation: Deply Mimikatz),(Citation: Symantec Backdoor.Mivast),(Citation: FireEye KEGTAP SINGLEMALT October 2020),(Citation: SecureWorks BRONZE UNION June 2017),(Citation: Cadet Blizzard emerges as novel threat actor),(Citation: Github Koadic),(Citation: Cybereason Soft Cell June 2019),(Citation: cobaltstrike manual),(Citation: Impacket Tools),(Citation: Dell TG-3390),(Citation: Cybereason OperationCuckooBees May 2022),(Citation: NCC Group APT15 Alive and Strong),(Citation: Unit42 Agrius 2023),(Citation: Mandiant APT41),(Citation: Kaspersky ProjectSauron Technical Analysis),(Citation: CME Github September 2018),(Citation: Mandiant Operation Ke3chang November 2014),(Citation: PWC Cloud Hopper Technical Annex April 2017),(Citation: Github AD-Pentest-Script),(Citation: F-Secure CozyDuke),(Citation: Microsoft Disable NTLM Nov 2012)