This note documents detection patterns related to SAM Dumping within Active Directory environments.
Direct Indicators
| Log | Event ID | Meaning | Forensic Value | Notes |
|---|---|---|---|---|
| Security | 4688 | Process creation | Critical | Look for execution of tools capable of dumping SAM such as reg.exe, secretsdump.py, mimikatz, or PowerShell scripts. Review CommandLine and ParentProcessName. |
| Security | 4656 | Handle requested to object | High | Access to registry hives such as SAM and SYSTEM may indicate credential extraction attempts. |
| Security | 4663 | Object access | High | Indicates access to registry keys or files associated with the SAM database. |
| Sysmon | 1 | Process creation | Critical | Identify suspicious execution of registry export commands or credential extraction utilities. |
| Sysmon | 11 | File creation | High | Creation of exported registry hive files such as sam.save or system.save. |
| Sysmon | 13 | Registry value set | Medium | Registry operations interacting with SAM or SYSTEM hives. |
Indirect Indicators
| Indicator | What To Look For | Forensic Value | Notes |
|---|---|---|---|
| Registry hive export | Commands exporting SAM or SYSTEM hives using reg save | Critical | Common attacker method to obtain password hashes. |
| Suspicious tool execution | Execution of mimikatz, secretsdump, or similar utilities | High | Often indicates credential dumping activity. |
| Temporary hive files | Files named sam.save, system.save, or similar appearing in temp directories | High | Often used by attackers for offline extraction. |
| Privilege escalation preceding dump | Use of SeBackupPrivilege or administrative privileges | Medium | Often required before registry hive access. |
| Post-dump authentication | Successful logons using accounts extracted from SAM | Critical | Indicates attacker cracked hashes and reused credentials. |
Common Tools
| Tool | Usage |
|---|---|
| Mimikatz | Extracts SAM password hashes from memory or registry hives. |
| Impacket secretsdump.py | Extracts SAM and SYSTEM hashes from local or remote hosts. |
| reg.exe | Built-in command used to export registry hives. |
| PowerShell scripts | Custom scripts used to copy and extract registry hive files. |
| Cobalt Strike | Often used to execute credential dumping modules. |
Relevant Artifacts
- Windows Security logs (4688, 4656, 4663)
- Sysmon logs (1, 11, 13)
- Registry hive files (SAM, SYSTEM, SECURITY)
- Dumped hive copies on disk
- Prefetch entries for dumping utilities
- MFT artifacts showing hive file creation
- PowerShell execution logs (4103, 4104)
- EDR telemetry showing suspicious registry operations
MITRE ATT&CK References
- T1003 OS Credential Dumping
- T1003.002 SAM
- T1078 Valid Accounts
- T1555 Credentials from Password Stores
Decision Tree
- Is the suspicious event present?
- Look for process execution exporting registry hives or accessing SAM database.
- What host generated the event?
- Identify the compromised workstation or server.
- Is the account expected to perform this action?
- Registry hive exports are uncommon in normal operations.
- Pivot:
- Source host → analyze executed commands and processes.
- Account → review privileges and group memberships.
- Network → check for lateral movement after credential extraction.
- Confirm exploitation
- Investigate whether dumped hashes were used for authentication attempts.
Example Detection Templates
KQL
SecurityEvent
| where EventID == 4688
| where CommandLine contains "reg save"
| project TimeGenerated, Computer, NewProcessName, CommandLine, ParentProcessName
Sysmon
| where EventID == 11
| where TargetFilename contains "sam"
| project TimeGenerated, Computer, TargetFilename, Image
EQL
process where process.command_line like "*reg save*SAM*"
Sigma
title: SAM Registry Hive Dump
id: sam-hive-dump
status: experimental
description: Detects attempts to export the SAM registry hive
logsource:
product: windows
category: process_creation
detection:
selection:
CommandLine|contains:
- "reg save"
- "SAM"
condition: selection
fields:
- CommandLine
- ParentProcessName
falsepositives:
- Legitimate administrative backup operations
level: high
tags:
- attack.credential_access
- attack.t1003.002
Mitigation & Hardening
| Control Area | Mitigation | Effectiveness | Notes |
|---|---|---|---|
| Privilege restriction | Limit SeBackupPrivilege and administrative rights | High | Prevents unauthorized registry hive exports. |
| Monitoring | Alert on reg save commands targeting SAM or SYSTEM hives | High | Early detection of credential dumping attempts. |
| Endpoint protection | Deploy EDR capable of detecting credential dumping tools | High | Helps detect suspicious registry access behavior. |
| Least privilege | Restrict local administrator accounts | High | Reduces attacker ability to dump registry hives. |
| System auditing | Enable detailed registry access auditing | Medium | Improves visibility into hive access events. |