-
Notifications
You must be signed in to change notification settings - Fork 6
/
attack-pattern--1644e709-12d2-41e5-a60f-3470991f5011.json
44 lines (44 loc) · 2.81 KB
/
attack-pattern--1644e709-12d2-41e5-a60f-3470991f5011.json
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
{
"external_references": [
{
"source_name": "mitre-attack",
"external_id": "T1003.002",
"url": "https://attack.mitre.org/techniques/T1003/002"
},
{
"url": "https://github.com/Neohapsis/creddump7",
"description": "Flathers, R. (2018, February 19). creddump7. Retrieved April 11, 2018.",
"source_name": "GitHub Creddump7"
}
],
"created_by_ref": "The MITRE Corporation",
"name": "Security Account Manager",
"description": "Adversaries may attempt to extract credential material from the Security Account Manager (SAM) database either through in-memory techniques or through the Windows Registry where the SAM database is stored. The SAM is a database file that contains local accounts for the host, typically those found with the <code>net user</code> command. Enumerating the SAM database requires SYSTEM level access.\n\nA number of tools can be used to retrieve the SAM file through in-memory techniques:\n\n* pwdumpx.exe\n* [gsecdump](https://attack.mitre.org/software/S0008)\n* [Mimikatz](https://attack.mitre.org/software/S0002)\n* secretsdump.py\n\nAlternatively, the SAM can be extracted from the Registry with Reg:\n\n* <code>reg save HKLM\\sam sam</code>\n* <code>reg save HKLM\\system system</code>\n\nCreddump7 can then be used to process the SAM database locally to retrieve hashes.(Citation: GitHub Creddump7)\n\nNotes: \n* RID 500 account is the local, built-in administrator.\n* RID 501 is the guest account.\n* User accounts start with a RID of 1,000+.\n",
"id": "attack-pattern--1644e709-12d2-41e5-a60f-3470991f5011",
"type": "attack-pattern",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "credential-access"
}
],
"modified": "2020-03-25T15:17:30.640Z",
"created": "2020-02-11T18:42:07.281Z",
"x_mitre_contributors": [
"Ed Williams, Trustwave, SpiderLabs"
],
"x_mitre_data_sources": [
"Process command-line parameters",
"PowerShell logs",
"Process monitoring"
],
"x_mitre_permissions_required": [
"SYSTEM"
],
"x_mitre_detection": "Hash dumpers open the Security Accounts Manager (SAM) on the local file system (<code>%SystemRoot%/system32/config/SAM</code>) or create a dump of the Registry SAM key to access stored account password hashes. Some hash dumpers will open the local file system as a device and parse to the SAM table to avoid file access defenses. Others will make an in-memory copy of the SAM table before reading hashes. Detection of compromised [Valid Accounts](https://attack.mitre.org/techniques/T1078) in-use by adversaries may help as well.",
"x_mitre_version": "1.0",
"x_mitre_is_subtechnique": true,
"x_mitre_platforms": [
"Windows"
]
}