Security Account Manager

The Security Account Manager (SAM) database is a fundamental component of Windows operating systems, essential for managing user accounts and security descriptors. Due to its storage of hashed user passwords, the SAM database becomes a lucrative target for attackers aiming to gain unauthorized access, escalate privileges, perform lateral movements within a network, and maintain persistence. This overview explores the techniques attackers use to extract credentials from the SAM, methods for detecting these attacks, and the challenges faced in detection and mitigation.

In-Memory Techniques

LSASS Memory Dumping:

One of the most effective and commonly used techniques for extracting credentials from the SAM involves dumping the memory of the Local Security Authority Subsystem Service (LSASS). LSASS is responsible for enforcing the security policies on the system, handling password changes, and overseeing authentication processes. Since LSASS interacts directly with the SAM database, it holds critical credential material. Attackers, with local administrator privileges, can use tools like Mimikatz, ProcDump, or Windows Credential Editor (WCE) to dump the memory of the LSASS process, thereby extracting password hashes and, in some cases, plaintext passwords.

Credential Dumping Tools:

Beyond Mimikatz, a variety of other tools and custom scripts exist that can perform similar functions to extract credentials from memory. These tools exploit the necessity for sensitive information to be loaded into memory at some point for use, enabling attackers to capture this data through memory dumping techniques. For example, attackers may use ProcDump with commands like: procdump.exe -accepteula -ma lsass.exe lsass.dmp This command creates a memory dump of the LSASS process (lsass.exe) and saves it as lsass.dmp, which attackers can later analyze offline to extract credentials.

Windows Registry Techniques

Direct SAM File Access:

The SAM database file is physically stored in the file path %SystemRoot%\system32\config\SAM on the disk and is mirrored in the registry under HKEY_LOCAL_MACHINE\SAM. During normal operations, these files are locked by the operating system and are not directly accessible. However, attackers with physical access to the machine can boot from an alternate operating system, such as a live Linux USB, to access these files directly. Monitoring for unauthorized access attempts to the SAM file, especially during abnormal times or from unexpected sources, can help in detecting these direct access attempts.

Registry Hive Dumping:

Attackers can also extract credentials by dumping the registry hives. Tools like reg.exe can export registry hives if the attacker has the required privileges. The extracted registry hives require further processing and decryption to retrieve useful credential data because Windows encrypts stored password hashes using the SYSKEY. An example command for exporting the SAM hive using reg.exe is: reg save HKLM\SAM C:\Temp\SAM This command saves the SAM registry hive to the C:\Temp directory, where the attacker can later process and decrypt it.

Volume Shadow Copy:

Another method involves creating a volume shadow copy of the Windows volume, which allows access to locked files, including the SAM file. Tools such as vssadmin, wmic, and other third-party utilities can create shadow copies that attackers can then explore to extract the SAM and SYSTEM registry hives. Commands to create and list shadow copies using vssadmin include: vssadmin create shadow /for=C: vssadmin list shadows These commands create a shadow copy of the C: drive and list existing shadow copies, respectively. Once a shadow copy is created, it can be mounted and explored to extract sensitive files.

Detection Strategies

Process Monitoring:

Detecting credential extraction from the SAM involves a multi-faceted approach. Process monitoring is crucial, as it involves tracking processes that attempt to access or dump the memory of the LSASS process. Detecting the execution of known credential dumping tools and monitoring for suspicious processes that interact with sensitive files like the SAM database are key steps.

File Monitoring:

File monitoring involves tracking access to sensitive files, such as the SAM database and the NTDS.dit file, and alerting on unauthorized access or copying attempts. It also includes monitoring for the creation of dump files, especially in system directories or unusual locations, which are typically associated with credential dumping activities. Monitoring access attempts to the SAM file and alerting on unauthorized access attempts is also critical.

Registry Monitoring:

Registry monitoring entails tracking changes to SAM-related registry keys and those associated with credential storage and security settings, such as the WDigest protocol and LSA secrets. This includes monitoring for the SAM registry key dump being created and tracking the use of tools and commands that interact with the registry to export hives.

Command Line Monitoring:

Analyzing command line arguments for signs of credential dumping activities is another crucial detection strategy. This involves detecting commands that include parameters indicative of credential dumping, such as sekurlsa::logonpasswords, commonly used by tools like Mimikatz.

Behavioral Analysis:

Behavioral analysis helps identify deviations from normal system behavior. This includes using behavioral analytics to detect processes that do not typically access LSASS or the SAM but suddenly attempt to do so, and establishing baselines for normal access patterns to sensitive processes and files. Alerting on deviations from these patterns can indicate credential dumping attempts.

Network Monitoring:

Network monitoring involves detecting outbound network connections that may indicate the exfiltration of dumped credentials. Monitoring for signs of lateral movement, such as the use of stolen credentials to access additional systems, is also essential.

EDR Tools:

Endpoint Detection and Response (EDR) tools play a significant role in detecting credential dumping attempts. EDR tools collect detailed telemetry on process execution, file access, and registry changes. Leveraging EDR analytics to detect and respond to suspicious behaviors indicative of credential dumping enhances overall security.

Challenges in Detection

Legitimate Use of Tools:

One significant challenge in detecting credential dumping is the legitimate use of administrative tools. Some credential dumping techniques involve using legitimate tools, leading to potential false positives. Implementing strict access controls and auditing the use of administrative tools can mitigate this challenge.

Evasion Techniques:

Attackers often use various evasion techniques, such as code injection and stealthy access methods, to avoid detection. Employing advanced behavioral analytics and anomaly detection can help identify these evasion techniques.

High Privileges:

Credential dumping typically involves processes running with high privileges, complicating the distinction between legitimate and malicious activities. Enforcing the principle of least privilege and limiting the use of high-privilege accounts can help mitigate this issue.

Encrypted and Protected Data:

Some credential stores are encrypted or protected by the operating system, requiring sophisticated methods to detect unauthorized access. Utilizing advanced decryption and forensic tools can aid in analyzing encrypted and protected data.

Mitigation Strategies

Disable or Restrict NTLM:

Consider disabling or restricting NTLM to reduce the attack surface.

Use Complex, Unique Passwords:

Ensure local administrator accounts have complex, unique passwords across all systems on the network to prevent easy credential guessing or reuse.

Limit Local Admin Accounts:

Avoid placing user or admin domain accounts in local administrator groups across systems unless strictly necessary. This practice helps minimize the risk associated with compromised credentials.

Credential Hygiene:

Train users and administrators to use unique passwords for different accounts and avoid credential reuse. This practice reduces the risk of attackers leveraging stolen credentials across multiple accounts and systems.