detection.wiki

ATT&CK coverage › Technique

OS Credential Dumping: Security Account Manager T1003.002

Adversaries may attempt to extract credential material from the Security Account Manager (SAM) database either through in-memory techniques or through the Windows Registry where the SAM database is stored. The SAM is a database file that contains local accounts for the host, typically those found with the <code>net user</code> command. Enumerating the SAM database requires SYSTEM level access.

Events covered

20 catalog events are tagged with this technique by at least one rule.

ProviderEvent IDTitle
Sysmon1Process creation
Sysmon11FileCreate
Sysmon12RegistryEvent (Object create and delete)
Sysmon13RegistryEvent (Value Set)
Sysmon14RegistryEvent (Key and Value Rename)
Sysmon17PipeEvent (Pipe Created)
Sysmon18PipeEvent (Pipe Connected)
Security-Auditing4624An account was successfully logged on.
Security-Auditing4663An attempt was made to access an object.
Security-Auditing4672Special privileges assigned to new logon.
Security-Auditing4688A new process has been created.
Security-Auditing4697A service was installed in the system.
Security-Auditing4904An attempt was made to register a security event source.
Security-Auditing4905An attempt was made to unregister a security event source.
Security-Auditing5145A network share object was checked to see whether client can be granted desired access.
Kernel-General16The access history in hive HiveName was cleared updating KeysUpdated keys and creating DirtyPages modified pages.
Ntfs98Volume DriveName (DeviceName) CorruptionActionState.
PowerShell4104Creating Scriptblock text (MessageNumber of MessageTotal).
Service-Control-Manager7045A service was installed in the system.
Windows-Error-Reporting1001Fault bucket , type.

Authoring guide

Patterns shared across the 26 rules above: which fields they filter on, what specific values they look for, and what they exclude. Field names are normalized across vendors so Sigma's Image, Elastic's process.name, and Splunk's process_name collapse into one row. Each rule contributes at most once per row.

Fields filtered most (23 distinct)

The fields most rules look at when detecting this technique. The How column shows the operators authors use (eq, wildcard, regex_match, match) and how often each appears. Sample values are concrete examples to start from, not an exhaustive list.

FieldRulesHowSample values
CommandLine8match 7, eq 1 /y , \windows\ntds\ntds.dit, \config\security, save , hkey_local_machine
Image7ends_with 7, match 1\pwsh.exe, \esentutl.exe, \reg.exe, esentutl.exe, \pypykatz.exe
Provider_Name4eq 4Microsoft-Windows-WER-SystemErrorReporting, Service Control Manager, Microsoft-Windows-Kernel-General, Microsoft-Windows-Ntfs
TargetFilename4ends_with 3, match 3\pwdump.exe, \kirbi, \wce_krbtkts, .dmp, \AppData\Local\Temp\SAM-
RelativeTargetName3eq 2, match 2winreg, SYSTEM32\, .tmp, Windows\NTDS\ntds.dit, \sqldmpr
OriginalFileName3eq 3\esentutl.exe, reg.exe, PowerShell.EXE, wmic.exe, pwsh.dll
EventID3eq 34104, 4663, 4624
EventType1eq 1logged-in-special
PrivilegeList1eq 1SeBackupPrivilege
ServiceFileName1match 1servpw, dumpsvc, gsecdump
ImagePath1match 1servpw, dumpsvc, gsecdump
HiveName1match 1\Temp\SECURITY, \Temp\SAM
TargetObject1match 1System\CurrentControlSet\Services\VSS\Start, System\CurrentControlSet\Services\VSS
PipeName1match 1\cachedump, \lsadump, \wceservicepipe
ShareName1eq 1\\\\\*\\ADMIN$

Top indicator values (210 distinct)

Specific (field, operator, value) combinations the rules check for, ranked by how many rules under this technique use each one. The Corpus reach column counts how many rules across the entire catalog (any technique) check the same combination. High numbers point to widely-used indicators that are likely noisy on their own; combine them with another condition for useful signal. Blank means the combination is specific to rules under this technique.

FieldKindValueRules (here)Corpus reach
Imageends_with\pwsh.exe2140
Imageends_with\powershell.exe2143
RelativeTargetNameeqwinreg1
PrivilegeListeqSeBackupPrivilege1
EventTypeeqlogged-in-special1
Imageends_with\esentutl.exe18
CommandLinematch\config\sam1
CommandLinematch\config\RegBack\system1
CommandLinematch /m 1
CommandLinematch /y 12
CommandLinematch\config\RegBack\sam1
CommandLinematch\config\RegBack\security1
CommandLinematch\config\system 1
CommandLinematch\repair\sam1
CommandLinematch\config\security1
CommandLinematch\windows\ntds\ntds.dit12
CommandLinematch\repair\system1
CommandLinematchvss1
OriginalFileNameeq\esentutl.exe1
CommandLinematch\repair\security1

Common exclusions (1 distinct)

Field/operator/value combinations that rules under this technique routinely exclude (top-level not() clauses). These are the false-positive paths the community has learned to filter out. A new rule that ignores the high-count entries here will likely fire on the same noisy paths.

FieldKindValueRules excluding
PrivilegeListeqSeDebugPrivilege1

Rules under this technique

Every rule in the catalog tagged with this technique, grouped by vendor. Click a rule title for its full predicates, exclusions, and indicators.

Sigma 22 rules

Elastic 1 rule

Splunk 3 rules