Skip to content

vanvleeta/sam-emulation

BranchesTags

Repository files navigation

SAM/SYSTEM Dumping Emulation Test Suite

This repo holds emulation test programs for all the procedures of the attack technique T1003.002: Extracting Credentials from the SAM Database. Each executable exercises a single identified procedure.

Note: These programs do not perform the step of decrypting password hashes from the SAM. No password hashes are computed or displayed. The goal is to produce observable telemetry, not to extract usable credentials.

Project Structure

sam-emulation/
├── CMakeLists.txt
├── README.md
├── common/
│   ├── common.h        ← Shared declarations
│   └── common.cpp      ← Shared implementations
├── proc_a/proc_a.cpp   ← Procedure A: Local Registry Access
├── proc_b_enum/proc_b_enum.cpp   ← Procedure B: Remote Registry Access - Enum & Query
├── proc_b_save/proc_b_save.cpp   ← Procedure B: Remote Registry Access - Save
├── proc_c/proc_c.cpp   ← Procedure C: Volume Shadow Copy
├── proc_d/proc_d.cpp   ← Procedure D: Raw Disk Access
└── proc_e/proc_e.cpp   ← Procedure E: Acquire Registry Backup

Build Instructions

Requirements: Visual Studio 2022 with C++ workload, CMake ≥ 3.20.

cmake -B build -G "Visual Studio 17 2022" -A x64
cmake --build build --config Release

Executables are written to build\Release\.

Executables

proc_a.exe — Procedure A: Local Registry Access

Accesses SAM and SYSTEM registry data locally via two methods.

Required privileges: Administrator (both methods).

Method: enum

Enables SeBackupPrivilege then opens HKLM\SAM\SAM\Domains\Account with REG_OPTION_BACKUP_RESTORE, which causes the kernel to bypass the key's restrictive DACL for read operations. Enumerates user subkeys and reads each account's V value, then reads the boot key class attributes from HKLM\SYSTEM\...\Lsa. No files are written to disk.

proc_a.exe --method enum

Expected telemetry:

  • Win 4656 / 4663 (needs SACL on SAM and SYSTEM keys)

Method: save

Uses SeBackupPrivilege and RegSaveKey to write hive files to disk.

proc_a.exe --method save
proc_a.exe --method save --output-dir C:\Temp\output

Expected telemetry:

  • Win 4656 (object access, needs SACL)
  • Sysmon 11 (FileCreate) × 2 — one for SAM.hive, one for SYSTEM.hive

proc_b_enum.exe — Procedure B: Remote Registry Access - Enum and Query

Accesses SAM and SYSTEM on a remote machine over RPC/SMB. Requires the Remote Registry service to be running on the target.

Required privileges: Administrator credentials on the target machine. Pre-authenticate with net use \\<target>\IPC$ /user:<domain\user> if needed.

Method: enum

Connects to the remote registry via RegConnectRegistry and then uses standard Windows registry API to enumerate keys and query values to retrieve data. Due to the use of a remote registry handle, these API are marshalled to the remote registry service using the MS-RRP protocol. Nothing is written to the target.

proc_b.exe --target <hostname_or_ip>

Expected telemetry (on target):

  • Win 4624 (Logon) — network logon to target
  • Win 5145 (NetworkShareAccess) — IPC$ / winreg pipe access
  • Win 4656 / 4663 (needs SACL on SAM and SYSTEM keys)

proc_b_save.exe — Procedure B: Remote Registry Access - Save

Note

This test is not currently working. Help would be appreciated, otherwise I'll get to it eventually!

Accesses SAM and SYSTEM on a remote machine over RPC/SMB by save them to disk. Requires the Remote Registry service to be running on the target.

Required privileges: Administrator credentials on the target machine. Pre-authenticate with net use \\<target>\IPC$ /user:<domain\user> if needed.

Method: save

Uses BaseRegSaveKey to write hive files on the target. They will need be retrieved from the target machine, this is not done for these tests. You should manually clean up the saved hive files on the target when done.

proc_b_save.exe  \\TARGET_HOST  HIVE[\SubKey]  C:\Windows\Temp\output.bin
//   HIVE: HKLM | HKCU | HKCR | HKU | HKCC

// Notes
//   • The output file path is on the REMOTE host.  Retrieve it via SMB.
//   • The file must not already exist, BaseRegSaveKey will not overwrite it.
//   • Requires SeBackupPrivilege (run as Administrator).
//   • Requires the Remote Registry service to be running on the target.

Expected telemetry (on target):

  • Win 4624 (remote logon)
  • Sysmon 11 (FileCreate) × 2 — SAM and SYSTEM hive files written on target

proc_c.exe — Procedure C: Volume Shadow Copy

Creates a Volume Shadow Copy of C: via the WMI COM API (Win32_ShadowCopy.Create), copies the locked SAM and SYSTEM hive files through the snapshot device path, then deletes the shadow copy.

Required privileges: Administrator.

proc_c.exe
proc_c.exe --output-dir C:\Temp\output
proc_c.exe --use-existing "\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1"
  • --use-existing skips shadow copy creation and uses the supplied device path. The shadow copy is not deleted when this flag is used.
  • When a shadow copy is created by the tool, it is automatically deleted after the files are copied.

COM calls made:

  • CoCreateInstance(CLSID_WbemLocator)
  • IWbemLocator::ConnectServer("ROOT\\CIMV2")
  • IWbemServices::ExecMethod("Win32_ShadowCopy", "Create")
  • IWbemServices::DeleteInstance("Win32_ShadowCopy.ID=...")

Expected telemetry:

  • Win 8222 (Shadow Copy Created)
  • Win 8224 (Shadow Copy Deleted) — when created by the tool
  • Sysmon 11 (FileCreate) × 2 — destination SAM.hive and SYSTEM.hive

proc_d.exe — Procedure D: Raw Disk Access

Opens a raw volume handle (\\.\C:) and parses NTFS structures to locate and extract the SAM and SYSTEM hive files by reading their data clusters directly.

Required privileges: Administrator.

proc_d.exe
proc_d.exe --output-dir C:\Temp\output
proc_d.exe --volume D --output-dir C:\Temp\output

Implementation details:

  • Reads NTFS data structures from the raw volume manually to retrieve file data.

Expected telemetry: Minimal. Raw volume I/O operates below the standard file system telemetry layer. Sysmon does not generate FileCreate or FileRead events for raw device reads.

proc_e.exe — Procedure E: Acquire Registry Backup

Enables Windows periodic registry backups (which place copies of the hive files in %SystemRoot%\System32\config\RegBack\), then copies those files out. The enable and extract stages are temporally separated. Windows automatically performs the backup during idle time after a system reboot every 10 days.

Required privileges: Administrator (all subcommands).

Stage 1: enable

Creates HKLM\SYSTEM\...\Configuration Manager\EnablePeriodicBackup = 1. After running this, trigger the backup task then proceed to check/extract.

proc_e.exe enable

Trigger backup manually (no reboot required):

schtasks /run /tn "\Microsoft\Windows\Registry\RegIdleBackup"

Expected telemetry:

  • Sysmon 13 (RegistryValueSet)
  • Win 4657 (registry object modification- needs SACL)

Check: verify

Checks whether the RegBack files exist and reports their size and modification timestamp.

proc_e.exe check

Stage 2: extract

Copies SAM and SYSTEM from RegBack\ to the output directory.

proc_e.exe extract --output-dir C:\Temp\output

Expected telemetry:

  • Sysmon 11 (FileCreate) × 2 — destination SAM.hive and SYSTEM.hive

Cleanup: disable

Removes the EnablePeriodicBackup registry value to restore the default state.

proc_e.exe disable

Exit Codes

Code Meaning
0 Success — all essential operations completed
1 Argument parsing error
2 Privilege/access error (insufficient privileges)
3 Operation failure (Windows API call failed)

About

Implementation of SAM dumping (T1003.002) emulation tests

Resources

Readme

License

GPL-3.0 license
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages