sam

$ target-query <path/to/target> -f sam

Details

Module	os.windows.sam.SamPlugin
Output	records

Module documentation

SAM plugin.

References:

• MS-SAMR Specification

• Reversing samsrv.dll

• https://github.com/gentilkiwi/mimikatz

• https://github.com/skelsec/pypykatz

• https://web.archive.org/web/20190717124313/http://www.beginningtoseethelight.org/ntsecurity/index.htm

Function documentation

Dump SAM entries

The Security Account Manager (SAM) registry hive contains registry keys that store usernames, full names and passwords in a hashed format, either an LM or NT hash.

References:

• https://en.wikipedia.org/wiki/Security_Account_Manager

Yields SamRecords with fields:

rid (uint32): The RID. fullname (string): Parsed fullname. username (string): Parsed username. admincomment (string): Parsed admin comment. usercomment (string): Parsed user comment. lastlogin (datetime): Parsed last login date. lastpasswordset (datetime): Parsed last password set date. lastincorrectlogin (datetime): Parsed last incorrect login date. flags (uint32): Parsed flags. countrycode (uint16): Parsed country code (international country calling code). failedlogins (uint32): Parsed failed logins, reset after sucessful login. logins (uint32): Parsed logins (max 0xFFFF = 65535). lm (string): Parsed LM-hash. nt (string): Parsed NT-hash.