Security Account Manager

Information

• Name: Security Account Manager

• ID: T1003.002

• Tactics: TA0006

• Technique: T1003

Introduction

The Security Account Manager (SAM) [T1003.002] sub-technique, part of the MITRE ATT&CK framework under Credential Dumping (T1003), involves extracting credential information stored within the Windows Security Account Manager database. Attackers target the SAM database to retrieve password hashes, which can be subsequently cracked or used in pass-the-hash attacks, enabling unauthorized access and lateral movement within compromised environments.

Deep Dive Into Technique

The Security Account Manager (SAM) database is a critical Windows component that stores user account credentials in hashed form. Attackers typically target SAM to extract these hashes and leverage them for further malicious activities. Detailed technical aspects include:

• Location and Structure:

  • SAM database file located at %SystemRoot%\System32\config\SAM.

  • Contains hashed passwords (NTLM hashes) for local accounts.

• Accessing SAM Database:

  • Requires administrative privileges or elevated access.

  • Commonly accessed by attackers through:

    • Shadow copies (Volume Shadow Copy Service - VSS).

    • Offline extraction (booting into another OS or recovery environment).

    • Direct access using tools like Mimikatz, PwDump, fgdump, or secretsdump.py from Impacket.

• Extraction Methods:

  • Local Extraction: Attackers with local administrator privileges may directly copy the SAM file and SYSTEM registry hive, then extract hashes offline.

  • Volume Shadow Copy Extraction: Attackers leverage VSS snapshots to copy locked SAM files without triggering file access restrictions or alerts.

  • Registry Hives Dumping: Attackers export registry hives (SYSTEM and SAM) and parse them offline using specialized tools.

• Hash Usage:

  • Extracted hashes can be cracked offline using dictionary or brute-force attacks.

  • Attackers can reuse hashes directly in "Pass-the-Hash" attacks, bypassing the need to crack passwords.

When this Technique is Usually Used

Attackers commonly employ SAM credential dumping at various stages of their intrusion lifecycle, including:

• Initial Access and Privilege Escalation:

  • After gaining initial foothold, attackers escalate privileges to administrator level to access SAM.

• Credential Access and Persistence:

  • Attackers extract credentials to maintain persistent access to compromised systems.

• Lateral Movement:

  • Using extracted hashes, attackers move laterally across networks by authenticating to other systems without needing plaintext passwords.

• Reconnaissance and Information Gathering:

  • Attackers gather user account information and credentials for further reconnaissance and targeted attacks.

• Preparation for Further Attacks:

  • Credential harvesting from SAM database provides attackers with resources to conduct future attacks, espionage, or ransomware deployment.

How this Technique is Usually Detected

Detection of SAM credential dumping relies on monitoring specific indicators, behaviors, and tools usage:

• Monitoring for Suspicious File Access:

  • Alerts triggered by access to %SystemRoot%\System32\config\SAM and %SystemRoot%\System32\config\SYSTEM.

  • Unusual access patterns or copying of these files.

• Event Log Analysis:

  • Windows Security Event Logs (Event ID 4656, 4663) indicate access attempts to sensitive registry hives or SAM files.

  • System logs showing unexpected Volume Shadow Copy Service (VSS) activity (Event ID 8222, 8224).

• Endpoint Detection and Response (EDR) Tools:

  • Detecting known tools and utilities commonly associated with SAM dumping, such as:

    • Mimikatz

    • PwDump, fgdump

    • secretsdump.py (Impacket suite)

  • Behavioral detection rules for suspicious processes accessing registry hives or creating shadow copies.

• Network Traffic Analysis:

  • Identification of lateral movement attempts using Pass-the-Hash techniques.

  • Monitoring SMB authentication logs for anomalous authentication patterns.

• Indicators of Compromise (IoCs):

  • Presence of tools or binaries associated with credential dumping.

  • Unexpected registry hive exports or shadow copies creation.

  • Abnormal administrative logins or authentication events.

Why it is Important to Detect This Technique

Early detection of SAM credential dumping is critical due to its severe implications for security posture and operational continuity:

• Privilege Escalation and Unauthorized Access:

  • Attackers gain administrative credentials, significantly increasing their control and capability to cause harm.

• Lateral Movement and Network Compromise:

  • Extracted hashes enable attackers to move freely across networked systems without detection, expanding the scope of compromise.

• Persistence and Long-Term Access:

  • Attackers establish persistent footholds, complicating eradication and remediation efforts.

• Data Exfiltration and Espionage:

  • Attackers may leverage compromised credentials to access sensitive data, intellectual property, or personal information.

• Ransomware and Destructive Attacks:

  • Credential dumping often precedes ransomware deployment, enabling attackers to encrypt critical systems and data.

• Compliance and Regulatory Implications:

  • Compromise of credentials and unauthorized access can lead to regulatory fines, legal consequences, and reputational damage.

Examples

Real-world attacks and scenarios involving SAM credential dumping include:

• NotPetya Ransomware Attack (2017):

  • Attackers utilized credential dumping techniques, including SAM database extraction, enabling lateral movement across networks.

  • Tools used included Mimikatz, resulting in widespread damage and disruption.

• APT29 (Cozy Bear) Activities:

  • Known to leverage credential dumping from SAM and registry hives for lateral movement and persistence.

  • Frequently used Mimikatz and customized scripts for credential harvesting.

• Operation Cloud Hopper (APT10):

  • Attackers targeted managed service providers (MSPs), extracting credentials from SAM databases to compromise client networks.

  • Leveraged credential dumping to maintain long-term, stealthy access.

• Ryuk Ransomware Campaigns:

  • Attackers routinely employed credential dumping, including SAM extraction, to propagate ransomware across enterprise networks.

  • Utilized tools like Mimikatz and secretsdump.py to extract credentials rapidly.

• FIN7 Cybercrime Group:

  • Used credential dumping extensively, including SAM database extraction, for lateral movement and data exfiltration.

  • Often leveraged publicly available tools (Mimikatz, PwDump) combined with custom scripts to evade detection.

These examples illustrate the prevalence, severity, and impact of credential dumping via the Security Account Manager, underscoring the importance of proactive detection and response strategies.