Esc
Security Account Manager - T1003.002
(ATT&CK® Technique)
Definition
Adversaries may attempt to extract credential material from the Security Account Manager (SAM) database either through in-memory techniques or through the Windows Registry where the SAM database is stored. The SAM is a database file that contains local accounts for the host, typically those found with the net user
command. Enumerating the SAM database requires SYSTEM level access.
D3FEND Inferred Relationships
Browse the D3FEND knowledge graph by clicking on the nodes below.
graph LR; T1003002["Security Account Manager"] --> |may-access| Process["Process"]; class T1003002 OffensiveTechniqueNode; class Process ArtifactNode; click Process href "/dao/artifact/d3f:Process"; click T1003002 href "/offensive-technique/attack/T1003.002/"; click Process href "/dao/artifact/d3f:Process"; T1003002["Security Account Manager"] --> |may-access| SystemPasswordDatabase["System Password Database"]; class T1003002 OffensiveTechniqueNode; class SystemPasswordDatabase ArtifactNode; click SystemPasswordDatabase href "/dao/artifact/d3f:SystemPasswordDatabase"; click T1003002 href "/offensive-technique/attack/T1003.002/"; click SystemPasswordDatabase href "/dao/artifact/d3f:SystemPasswordDatabase"; T1003002["Security Account Manager"] --> |may-access| AuthenticationService["Authentication Service"]; class T1003002 OffensiveTechniqueNode; class AuthenticationService ArtifactNode; click AuthenticationService href "/dao/artifact/d3f:AuthenticationService"; click T1003002 href "/offensive-technique/attack/T1003.002/"; click AuthenticationService href "/dao/artifact/d3f:AuthenticationService"; ProcessSelf-ModificationDetection["Process Self-Modification Detection"] --> | analyzes | AuthenticationService["Authentication Service"]; ProcessSelf-ModificationDetection["Process Self-Modification Detection"] -.-> | May Detect | T1003002["Security Account Manager"] ; class ProcessSelf-ModificationDetection DefensiveTechniqueNode; class AuthenticationService ArtifactNode; click ProcessSelf-ModificationDetection href "/technique/d3f:ProcessSelf-ModificationDetection"; ProcessSelf-ModificationDetection["Process Self-Modification Detection"] --> | analyzes | Process["Process"]; class ProcessSelf-ModificationDetection DefensiveTechniqueNode; class Process ArtifactNode; click ProcessSelf-ModificationDetection href "/technique/d3f:ProcessSelf-ModificationDetection"; ProcessSpawnAnalysis["Process Spawn Analysis"] --> | analyzes | AuthenticationService["Authentication Service"]; ProcessSpawnAnalysis["Process Spawn Analysis"] -.-> | May Detect | T1003002["Security Account Manager"] ; class ProcessSpawnAnalysis DefensiveTechniqueNode; class AuthenticationService ArtifactNode; click ProcessSpawnAnalysis href "/technique/d3f:ProcessSpawnAnalysis"; ProcessSpawnAnalysis["Process Spawn Analysis"] --> | analyzes | Process["Process"]; class ProcessSpawnAnalysis DefensiveTechniqueNode; class Process ArtifactNode; click ProcessSpawnAnalysis href "/technique/d3f:ProcessSpawnAnalysis"; ProcessTermination["Process Termination"] --> | terminates | AuthenticationService["Authentication Service"]; ProcessTermination["Process Termination"] -.-> | May Evict | T1003002["Security Account Manager"] ; class ProcessTermination DefensiveTechniqueNode; class AuthenticationService ArtifactNode; click ProcessTermination href "/technique/d3f:ProcessTermination"; ProcessTermination["Process Termination"] --> | terminates | Process["Process"]; class ProcessTermination DefensiveTechniqueNode; class Process ArtifactNode; click ProcessTermination href "/technique/d3f:ProcessTermination"; ProcessSuspension["Process Suspension"] --> | suspends | AuthenticationService["Authentication Service"]; ProcessSuspension["Process Suspension"] -.-> | May Evict | T1003002["Security Account Manager"] ; class ProcessSuspension DefensiveTechniqueNode; class AuthenticationService ArtifactNode; click ProcessSuspension href "/technique/d3f:ProcessSuspension"; ProcessSuspension["Process Suspension"] --> | suspends | Process["Process"]; class ProcessSuspension DefensiveTechniqueNode; class Process ArtifactNode; click ProcessSuspension href "/technique/d3f:ProcessSuspension"; HostShutdown["Host Shutdown"] --> | terminates | AuthenticationService["Authentication Service"]; HostShutdown["Host Shutdown"] -.-> | May Evict | T1003002["Security Account Manager"] ; class HostShutdown DefensiveTechniqueNode; class AuthenticationService ArtifactNode; click HostShutdown href "/technique/d3f:HostShutdown"; HostShutdown["Host Shutdown"] --> | terminates | Process["Process"]; class HostShutdown DefensiveTechniqueNode; class Process ArtifactNode; click HostShutdown href "/technique/d3f:HostShutdown"; ProcessLineageAnalysis["Process Lineage Analysis"] --> | analyzes | Process["Process"]; ProcessLineageAnalysis["Process Lineage Analysis"] -.-> | May Detect | T1003002["Security Account Manager"] ; class ProcessLineageAnalysis DefensiveTechniqueNode; class Process ArtifactNode; click ProcessLineageAnalysis href "/technique/d3f:ProcessLineageAnalysis"; ProcessLineageAnalysis["Process Lineage Analysis"] --> | analyzes | AuthenticationService["Authentication Service"]; class ProcessLineageAnalysis DefensiveTechniqueNode; class AuthenticationService ArtifactNode; click ProcessLineageAnalysis href "/technique/d3f:ProcessLineageAnalysis"; HostReboot["Host Reboot"] --> | terminates | Process["Process"]; HostReboot["Host Reboot"] -.-> | May Evict | T1003002["Security Account Manager"] ; class HostReboot DefensiveTechniqueNode; class Process ArtifactNode; click HostReboot href "/technique/d3f:HostReboot"; MandatoryAccessControl["Mandatory Access Control"] --> | isolates | AuthenticationService["Authentication Service"]; MandatoryAccessControl["Mandatory Access Control"] -.-> | May Isolate | T1003002["Security Account Manager"] ; class MandatoryAccessControl DefensiveTechniqueNode; class AuthenticationService ArtifactNode; click MandatoryAccessControl href "/technique/d3f:MandatoryAccessControl"; MandatoryAccessControl["Mandatory Access Control"] --> | isolates | Process["Process"]; class MandatoryAccessControl DefensiveTechniqueNode; class Process ArtifactNode; click MandatoryAccessControl href "/technique/d3f:MandatoryAccessControl"; Hardware-basedProcessIsolation["Hardware-based Process Isolation"] --> | isolates | AuthenticationService["Authentication Service"]; Hardware-basedProcessIsolation["Hardware-based Process Isolation"] -.-> | May Isolate | T1003002["Security Account Manager"] ; class Hardware-basedProcessIsolation DefensiveTechniqueNode; class AuthenticationService ArtifactNode; click Hardware-basedProcessIsolation href "/technique/d3f:Hardware-basedProcessIsolation"; Hardware-basedProcessIsolation["Hardware-based Process Isolation"] --> | isolates | Process["Process"]; class Hardware-basedProcessIsolation DefensiveTechniqueNode; class Process ArtifactNode; click Hardware-basedProcessIsolation href "/technique/d3f:Hardware-basedProcessIsolation"; HostReboot["Host Reboot"] --> | terminates | AuthenticationService["Authentication Service"]; class HostReboot DefensiveTechniqueNode; class AuthenticationService ArtifactNode; click HostReboot href "/technique/d3f:HostReboot"; RestoreDatabase["Restore Database"] --> | restores | SystemPasswordDatabase["System Password Database"]; RestoreDatabase["Restore Database"] -.-> | May Restore | T1003002["Security Account Manager"] ; class RestoreDatabase DefensiveTechniqueNode; class SystemPasswordDatabase ArtifactNode; click RestoreDatabase href "/technique/d3f:RestoreDatabase";