title: Security Account Manager (T1003.002)
id: df00tech-t1003-002
status: experimental
description: "Adversaries attempt to extract credential material from the Security Account Manager (SAM) database containing local account NTLM hashes. The SAM requires SYSTEM-level access. Methods include: registry export (reg save HKLM\\sam; reg save HKLM\\system), Volume Shadow Copy access, Mimikatz lsadump::sam, secretsdump.py, gsecdump, pwdump, and creddump7. Used by APT29, APT41, Daggerfly, GALLIUM, Wizard Spider, Ember Bear, Agrius, and ransomware operators universally. Combined with the SYSTEM hive, SAM allows offline hash extraction."
references:
  - https://attack.mitre.org/techniques/T1003/002/
  - https://df00tech.com/detections/T1003.002
author: df00tech
date: 2026/04/13
tags:
  - attack.t1003.002
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - Authorized backup solutions using Volume Shadow Copy that may trigger vssadmin alerts
  - IT administrators performing registry backups as part of documented maintenance procedures
  - Incident response tools running forensic collection scripts that export SAM/SYSTEM hives
  - Antivirus or EDR agents performing system state backups
level: critical