Adversaries may attempt to extract credential material from the Security Account Manager (SAM) database either through in-memory techniques or through the Windows Registry where the SAM database is stored.
The SAM is a database file that contains local accounts for the host, typically those found with the net user command. Enumerating the SAM database requires SYSTEM level access.
Products, Sensors, and Dependencies
|Product||Dependencies||Data source||Access required||Protocol||Data Collected||Notes|
|Tenable.io||Advanced Network Scan||Windows machines||Authenticated Scan||WMI||Local Users||Plugin ID: 72684|