Detections
Analytics
OS Credential Dumping: Security Account Manager
Description
Adversaries may attempt to extract credential material from the Security Account Manager (SAM) database either through in-memory techniques or through the Windows Registry where the SAM database is stored.
The SAM is a database file that contains local accounts for the host, typically those found with the net user command. Enumerating the SAM database requires SYSTEM level access.
The SAM is a database file that contains local accounts for the host, typically those found with the net user command. Enumerating the SAM database requires SYSTEM level access.
Products, Sensors, and Dependencies
| Product | Dependencies | Data source | Access required | Protocol | Data Collected | Notes |
|---|---|---|---|---|---|---|
| Tenable.io | Advanced Network Scan | Windows machines | Authenticated Scan | WMI | Local Users | Plugin ID: 72684 |
References
Attack Path Technique Details
Framework: MITRE ATT&CK
Family: Credential Access
Technique: OS Credential Dumping
Sub-Technique: Security Account Manager
Platform: Windows
Products Required: Tenable.io
Tenable Release Date: 2022 Q2