| ID | Name |
|---|---|
| ATAGS-T1121.001 | /etc/passwd and /etc/shadow |
| ATAGS-T1121.002 | Cached Domain Credentials |
| ATAGS-T1121.003 | DCSync |
| ATAGS-T1121.004 | LSA Secrets |
| ATAGS-T1121.005 | LSASS Memory |
| ATAGS-T1121.006 | NTDS |
| ATAGS-T1121.007 | Proc Filesystem |
| ATAGS-T1121.008 | Security Account Manager |
Threat Actors may attempt to extract credential material from the Security Account Manager (SAM) database either through in-memory techniques or through the Windows Registry where the SAM database is stored. The SAM is a database file that contains local accounts for the host, typically those found with the net user command. Enumerating the SAM database requires SYSTEM level access.
This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.