Detect Security Account Manager in IBM QRadar
Adversaries attempt to extract credential material from the Security Account Manager (SAM) database containing local account NTLM hashes. The SAM requires SYSTEM-level access. Methods include: registry export (reg save HKLM\sam; reg save HKLM\system), Volume Shadow Copy access, Mimikatz lsadump::sam, secretsdump.py, gsecdump, pwdump, and creddump7. Used by APT29, APT41, Daggerfly, GALLIUM, Wizard Spider, Ember Bear, Agrius, and ransomware operators universally. Combined with the SYSTEM hive, SAM allows offline hash extraction.
MITRE ATT&CK
- Tactic
- Credential Access
- Technique
- T1003 OS Credential Dumping
- Sub-technique
- T1003.002 Security Account Manager
- Canonical reference
- https://attack.mitre.org/techniques/T1003/002/
QRadar Detection Query
SELECT DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS EventTime, sourceip, username, "Process Name", "Command", CATEGORYNAME(category) AS Category, LOGSOURCENAME(logsourceid) AS LogSource
FROM events
WHERE LOGSOURCETYPEID IN (12, 13, 14)
AND (
(LOWER("Process Name") LIKE '%reg.exe%' AND (LOWER("Command") LIKE '%save%hklm\\sam%' OR LOWER("Command") LIKE '%save%hklm\\system%' OR LOWER("Command") LIKE '%save%hklm\\security%'))
OR (LOWER("Command") LIKE '%lsadump::sam%' OR LOWER("Command") LIKE '%lsadump::cache%' OR LOWER("Command") LIKE '%sekurlsa::msv%')
OR (LOWER("Process Name") LIKE '%vssadmin.exe%' AND (LOWER("Command") LIKE '%create shadow%' OR LOWER("Command") LIKE '%list shadow%'))
OR (LOWER("Process Name") LIKE '%esentutl.exe%' AND (LOWER("Command") LIKE '%sam%' OR LOWER("Command") LIKE '%shadow%'))
OR (LOWER("Process Name") LIKE '%ntdsutil.exe%' AND LOWER("Command") LIKE '%sam%')
)
AND starttime > NOW() - 86400000
ORDER BY starttime DESCDetects SAM credential dumping activity by correlating Windows process creation events in QRadar, identifying reg.exe registry exports, Mimikatz command-line patterns, VSS shadow copy abuse, and ESENTUTL/NTDSUTIL misuse targeting SAM or SYSTEM hives.
Data Sources
Required Tables
False Positives & Tuning
- Scheduled enterprise backup jobs that legitimately access VSS shadow copies and registry hives for disaster recovery
- IT operations teams running reg.exe exports as part of documented change management or system migration procedures
- Security tooling such as CyberArk or BeyondTrust PAM solutions that may enumerate shadow copies as part of privileged session management
Other platforms for T1003.002
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Export SAM and SYSTEM Registry Hives
Expected signal: Sysmon Event ID 1: Process Create with Image=reg.exe, CommandLine containing 'save HKLM\sam'. Sysmon Event ID 11: FileCreate for atomic_sam.hiv and atomic_system.hiv. Security Event ID 4688 for reg.exe process creation.
- Test 2SAM Dump via Mimikatz lsadump::sam (Command Pattern)
Expected signal: Sysmon Event ID 1: Process Create with CommandLine containing 'lsadump::sam'. Sysmon Event ID 10: ProcessAccess if Mimikatz attempts to access lsass.exe. Security Event ID 4688 for mimikatz.exe. Windows Defender may flag this as HackTool:Win32/Mimikatz.
- Test 3Create Volume Shadow Copy for SAM Access
Expected signal: Sysmon Event ID 1: Process Create for vssadmin.exe with CommandLine 'create shadow /for=C:'. System Event Log: Event ID 8193/8194 for Volume Shadow Copy service events. Security Event ID 4688 for vssadmin.exe.
References (5)
- https://attack.mitre.org/techniques/T1003/002/
- https://github.com/Neohapsis/creddump7
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.002/T1003.002.md
- https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dumping-hashes-from-sam-registry
- https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-sam
Unlock Pro Content
Get the full detection package for T1003.002 including response playbook, investigation guide, and atomic red team tests.