OS Credential Dumping: Security Account Manager

Description

Adversaries may attempt to extract credential material from the Security Account Manager (SAM) database either through in-memory techniques or through the Windows Registry where the SAM database is stored.
The SAM is a database file that contains local accounts for the host, typically those found with the net user command. Enumerating the SAM database requires SYSTEM level access.

Products, Sensors, and Dependencies

ProductDependenciesData sourceAccess requiredProtocolData CollectedNotes
Tenable.ioAdvanced Network ScanWindows machinesAuthenticated ScanWMILocal UsersPlugin ID: 72684

References

Nessus Plugins:Enumerate Users via WMI

Attack Path Technique Details

Framework: MITRE ATT&CK

Family: Credential Access

Platform: Windows

Products Required: Tenable.io

Tenable Release Date: 2022 Q2