H3-2021-0042

Credential Dumping - Security Account Manager (SAM) Database

Category	SECURITY_CONTROLS
Base Score	7.2

Description

The Windows Security Account Manager (SAM) database stores credentials as NTLM hashes for all local users. This database is only accessible with administrative privileges. There are multiple methods to dumping the SAM database such as extracting it from the registry, accessing backup files, and using tools like Mimikatz and Impacket secretsdump.py to pull it from memory.

Impact

Attackers who are able to dump the SAM database can log in as any local user by passing the hash (PTH). Additionally, attackers can exploit credential re-use to move laterally to access other systems and data.

References

• MITRE ATT&CK Technique: OS Credential Dumping: Security Account Manager
• Local Administrator Password Solution (LAPS)