Security Account Manager
Adversaries may attempt to extract credential material from the Security Account Manager (SAM) database either through in-memory techniques or through the Windows Registry where the SAM database is stored. The SAM is a database file that contains local accounts for the host, typically those found with the <code>net user</code> command. Enumerating the SAM database requires SYSTEM level access. A number of tools can be used to retrieve the SAM file through in-memory techniques: * pwdumpx.exe * ...
BY SOURCE
PROCEDURES (30)
Auto-extracted: 4 detections for dump
Auto-extracted: 3 detections for registry
Auto-extracted: 2 detections for api
Auto-extracted: 2 detections for event log
Auto-extracted: 2 detections for shadow cop
Auto-extracted: 2 detections for service
Auto-extracted: 2 detections for script block
Auto-extracted: 2 detections for credential
Auto-extracted: 2 detections for registry
Auto-extracted: 2 detections for ntds
Auto-extracted: 2 detections for suspicious
Auto-extracted: 2 detections for dump
Auto-extracted: 1 detections for file monitoring
Auto-extracted: 1 detections for exfiltrat
Auto-extracted: 1 detections for ntds
Auto-extracted: 1 detections for shadow cop
Auto-extracted: 1 detections for remote
Auto-extracted: 1 detections for exfiltrat
Auto-extracted: 1 detections for lateral
Auto-extracted: 1 detections for azure
Auto-extracted: 1 detections for credential
Auto-extracted: 1 detections for mimikatz
Auto-extracted: 1 detections for lateral
Auto-extracted: 1 detections for service
Auto-extracted: 1 detections for dump
Auto-extracted: 1 detections for mimikatz
Auto-extracted: 1 detections for dump
Auto-extracted: 1 detections for mimikatz
Auto-extracted: 1 detections for dump
Auto-extracted: 1 detections for remote