# Security Account Manager Adversaries may attempt to extract credential material from the Security Account Manager(SAM) database wither through in-memory techniques or through the Windows Registry where the SAM database is stored. The SAM is a database file that contains local account for the host, typically those found with the **net user** command. Enumerating the SAM database requires SYSTEM level access. A number of tools can be used to retrieve the SAM file through in-memory techniques: · Pwdumpx.exe · Gsecdump · Mimikatz · Secretsdump.py Alternatively, the SAM can be extracted from the Registry with Reg: · Reg save HKML\sam sam · Reg save HKLM\system system Creddump7 can then be used to process the SAM database locally to retrieve hashes. Notes: RID 500 account is the local, built-in administrator. RID501 is the guest account. \*user accounts start with a RID of 1,000+ **Example** In this demo will work with secretsdump and mimkatz very well working tools to achieve these goals, will also work with the Registry to obtain the hashes from them. For example secretsdump we will attack the DC in this occasion we will use Domain Admin credentials and have it dump the hashes of the entire Domain ![](/files/-MRkliy8H619kMqfUpdp) Above we see the technique successful but be aware that this will NOT dump local accounts only Domain Accounts. What about mimikatz, dump the SAM and grab credentials as well. To have this attack effective we will need to Dump the SAM Database from Registry. ![](/files/-MRkljmDxhic8Mt4-Hdf) Once running mimkatz we will start the privilege::debug ![](/files/-MRklkgcqNxOcHqD9wB6) Then elevate our privileges to system by using the token::elevate ![](/files/-MRkllQeuxTZkLPYiIgJ) Then finally grab the creds from the files we save from registry ![](/files/-MRklmHSgkR7k4s5lioa) Another tool I encountered was PWDUMP from BlackArchLinux this requires the same two files the SAM and SYSTEM from the Registry and will dump hashes but sure to use the correct order of SYSTEM and then SAM files. ![](/files/-MRklnBd2NZpjmoKjwUX) I do encourage to try other tools to achieve this goal as well, as there is a plethora of them out there, Good Luck. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://dmcxblue.gitbook.io/red-team-notes-2-0/red-team-techniques/credential-access/t1003-os-credential-dumping/security-account-manager.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.