Adversaries may be dumping the SAM database to extract local account credentials, which is a common technique used to gain persistent access. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential credential theft and mitigate lateral movement risks.
Detection Rule
title: Potential SAM Database Dump
id: 4e87b8e2-2ee9-4b2a-a715-4727d297ece0
status: test
description: Detects the creation of files that look like exports of the local SAM (Security Account Manager)
references:
- https://github.com/search?q=CVE-2021-36934
- https://web.archive.org/web/20210725081645/https://github.com/cube0x0/CVE-2021-36934
- https://www.google.com/search?q=%22reg.exe+save%22+sam
- https://github.com/HuskyHacks/ShadowSteal
- https://github.com/FireFart/hivenightmare
author: Florian Roth (Nextron Systems)
date: 2022-02-11
modified: 2023-01-05
tags:
- attack.credential-access
- attack.t1003.002
logsource:
product: windows
category: file_event
detection:
selection:
- TargetFilename|endswith:
- '\Temp\sam'
- '\sam.sav'
- '\Intel\sam'
- '\sam.hive'
- '\Perflogs\sam'
- '\ProgramData\sam'
- '\Users\Public\sam'
- '\AppData\Local\sam'
- '\AppData\Roaming\sam'
- '_ShadowSteal.zip' # https://github.com/HuskyHacks/ShadowSteal
- '\Documents\SAM.export' # https://github.com/n3tsurge/CVE-2021-36934/
- ':\sam'
- TargetFilename|contains:
- '\hive_sam_' # https://github.com/FireFart/hivenightmare
- '\sam.save'
- '\sam.export'
- '\~reg_sam.save'
- '\sam_backup'
- '\sam.bck'
- '\sam.backup'
condition: selection
falsepositives:
- Rare cases of administrative activity
level: high
imFileEvent
| where (TargetFileName endswith "\\Temp\\sam" or TargetFileName endswith "\\sam.sav" or TargetFileName endswith "\\Intel\\sam" or TargetFileName endswith "\\sam.hive" or TargetFileName endswith "\\Perflogs\\sam" or TargetFileName endswith "\\ProgramData\\sam" or TargetFileName endswith "\\Users\\Public\\sam" or TargetFileName endswith "\\AppData\\Local\\sam" or TargetFileName endswith "\\AppData\\Roaming\\sam" or TargetFileName endswith "_ShadowSteal.zip" or TargetFileName endswith "\\Documents\\SAM.export" or TargetFileName endswith ":\\sam") or (TargetFileName contains "\\hive_sam_" or TargetFileName contains "\\sam.save" or TargetFileName contains "\\sam.export" or TargetFileName contains "\\~reg_sam.save" or TargetFileName contains "\\sam_backup" or TargetFileName contains "\\sam.bck" or TargetFileName contains "\\sam.backup")Scenario: System Restore Point Creation
Description: When a system restore point is created using the System Restore feature, it may generate files that resemble SAM database exports.
Filter/Exclusion: Exclude files created by the System Restore service (svchost.exe with System Restore service name) or files with a creation time matching the system restore point timestamp.
Scenario: Scheduled Task for User Management
Description: A legitimate scheduled task that runs a script to manage user accounts (e.g., using net user or PowerShell) may create temporary files that match the pattern of SAM exports.
Filter/Exclusion: Exclude files created by tasks with a known name like UserManagementTask or by the schtasks.exe process.
Scenario: Active Directory Sync Tool
Description: Tools like adsync or dsquery used for synchronizing Active Directory with local accounts may generate temporary files that look like SAM exports.
Filter/Exclusion: Exclude files created by processes associated with Active Directory synchronization tools or by the adsync.exe process.
Scenario: Windows Backup or System Image Creation
Description: When creating a system image or backup using tools like wbadmin or DISM, temporary files may be generated that match the pattern of SAM exports.
Filter/Exclusion: Exclude files created by wbadmin.exe or dism.exe during backup operations.
Scenario: Admin Task for Local User Export
Description: An administrator may manually export local user accounts using tools like net user > users.txt or PowerShell scripts, which could generate files that match the rule’s pattern.
Filter/Exclusion: Exclude files created by processes with a command line containing net user or Export-ADUser and associated with administrative user