Credential Dumping - Security Account Manager (SAM) Database
The Windows Security Account Manager (SAM) database stores credentials as NTLM hashes for all local users. This database is only accessible with administrative privileges. There are multiple methods to dumping the SAM database such as extracting it from the registry, accessing backup files, and using tools like Mimikatz and Impacket secretsdump.py to pull it from memory.
Attackers who are able to dump the SAM database can log in as any local user by passing the hash (PTH). Additionally, attackers can exploit credential re-use to move laterally to access other systems and data.