T1003.002 Google Chronicle · YARA-L

Detect Security Account Manager in Google Chronicle

Adversaries attempt to extract credential material from the Security Account Manager (SAM) database containing local account NTLM hashes. The SAM requires SYSTEM-level access. Methods include: registry export (reg save HKLM\sam; reg save HKLM\system), Volume Shadow Copy access, Mimikatz lsadump::sam, secretsdump.py, gsecdump, pwdump, and creddump7. Used by APT29, APT41, Daggerfly, GALLIUM, Wizard Spider, Ember Bear, Agrius, and ransomware operators universally. Combined with the SYSTEM hive, SAM allows offline hash extraction.

MITRE ATT&CK

Tactic
Credential Access
Technique
T1003 OS Credential Dumping
Sub-technique
T1003.002 Security Account Manager
Canonical reference
https://attack.mitre.org/techniques/T1003/002/

YARA-L Detection Query

Google Chronicle (YARA-L)
yaral 
rule t1003_002_sam_credential_dumping {
  meta:
    author = "Detection Engineering"
    description = "Detects SAM database credential dumping via registry export, Mimikatz, VSS shadow copy, or ESENTUTL/NTDSUTIL abuse"
    mitre_attack_tactic = "Credential Access"
    mitre_attack_technique = "T1003.002"
    severity = "CRITICAL"
    priority = "HIGH"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    $e.principal.process.file.full_path != ""
    (
      (
        re.regex($e.principal.process.file.full_path, `(?i)reg\.exe$`) and
        (
          re.regex($e.target.process.command_line, `(?i)save.*hklm\\sam`) or
          re.regex($e.target.process.command_line, `(?i)save.*hklm\\system`) or
          re.regex($e.target.process.command_line, `(?i)save.*hklm\\security`)
        )
      ) or
      re.regex($e.target.process.command_line, `(?i)(lsadump::sam|lsadump::cache|sekurlsa::msv)`) or
      (
        re.regex($e.principal.process.file.full_path, `(?i)vssadmin\.exe$`) and
        re.regex($e.target.process.command_line, `(?i)(create shadow|list shadow)`)
      ) or
      (
        re.regex($e.principal.process.file.full_path, `(?i)(esentutl|ntdsutil)\.exe$`) and
        re.regex($e.target.process.command_line, `(?i)(sam|ntds|shadow)`)
      )
    )

  condition:
    $e
}
critical severity high confidence

Chronicle YARA-L 2.0 rule detecting SAM credential dumping by matching process launch events against known attack patterns including registry hive export via reg.exe, Mimikatz lsadump/sekurlsa commands, VSS shadow copy enumeration, and ESENTUTL/NTDSUTIL misuse against SAM/NTDS targets.

Data Sources

Chronicle UDM (Windows Endpoint)Google Chronicle Sysmon ForwarderChronicle SIEM Windows Event Log Ingestion

Required Tables

UDM Process Events

False Positives & Tuning

  • System administrators performing authorized registry backup exports using reg.exe save commands as part of documented change management procedures
  • Legitimate forensic investigation tools or EDR solutions accessing VSS shadows for telemetry collection during incident response
  • Authorized penetration tests or red team exercises using Mimikatz or secretsdump as part of a scoped engagement
Download portable Sigma rule (.yml)

Other platforms for T1003.002

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Export SAM and SYSTEM Registry Hives

    Expected signal: Sysmon Event ID 1: Process Create with Image=reg.exe, CommandLine containing 'save HKLM\sam'. Sysmon Event ID 11: FileCreate for atomic_sam.hiv and atomic_system.hiv. Security Event ID 4688 for reg.exe process creation.

  2. Test 2SAM Dump via Mimikatz lsadump::sam (Command Pattern)

    Expected signal: Sysmon Event ID 1: Process Create with CommandLine containing 'lsadump::sam'. Sysmon Event ID 10: ProcessAccess if Mimikatz attempts to access lsass.exe. Security Event ID 4688 for mimikatz.exe. Windows Defender may flag this as HackTool:Win32/Mimikatz.

  3. Test 3Create Volume Shadow Copy for SAM Access

    Expected signal: Sysmon Event ID 1: Process Create for vssadmin.exe with CommandLine 'create shadow /for=C:'. System Event Log: Event ID 8193/8194 for Volume Shadow Copy service events. Security Event ID 4688 for vssadmin.exe.

Last updated: 2026-04-13 Research depth: deep
References (5)

Unlock Pro Content

Get the full detection package for T1003.002 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1003OS Credential Dumping

Related Sub-techniques

T1003.001LSASS MemoryT1003.003NTDST1003.004LSA SecretsT1003.005Cached Domain CredentialsT1003.006DCSyncT1003.007Proc FilesystemT1003.008/etc/passwd and /etc/shadow

Related Techniques

T1003OS Credential DumpingT1003.001LSASS MemoryT1003.004LSA SecretsT1550.002Pass the HashT1059.001PowerShellT1490Inhibit System Recovery

Same Tactic: Credential Access

Popular Detections