sam

$ target-query <path/to/target> -f sam

Details

Module	dissect.target.plugins.os.windows.credential.sam.SamPlugin
Output	records

Module documentation

SAM plugin.

References:

• MS-SAMR Specification

• Reversing samsrv.dll

• https://github.com/gentilkiwi/mimikatz

• https://github.com/skelsec/pypykatz

• https://web.archive.org/web/20190717124313/http://www.beginningtoseethelight.org/ntsecurity/index.htm

Function documentation

Dump SAM entries

The Security Account Manager (SAM) registry hive contains registry keys that store usernames, full names and passwords in a hashed format, either an LM or NT hash.

References:

• https://en.wikipedia.org/wiki/Security_Account_Manager

Yields SamRecords with fields:

rid (uint32): The RID.
fullname (string): Parsed fullname.
username (string): Parsed username.
admincomment (string): Parsed admin comment.
usercomment (string): Parsed user comment.
lastlogin (datetime): Parsed last login date.
lastpasswordset (datetime): Parsed last password set date.
lastincorrectlogin (datetime): Parsed last incorrect login date.
flags (uint32): Parsed flags.
countrycode (uint16): Parsed country code (international country calling code).
failedlogins (uint32): Parsed failed logins, reset after sucessful login.
logins (uint32): Parsed logins (max 0xFFFF = 65535).
lm (string): Parsed LM-hash.
nt (string): Parsed NT-hash.