The SAM (Security Account Manager) is the Windows registry hive that stores the password hashes of local accounts on a machine (HKLM\SAM). The hashes are NT hashes, encrypted with a key (the boot key) held in the SYSTEM hive, so an attacker needs both. With local admin or SYSTEM they save the hives or read them from memory, extract the local hashes, and crack or pass them. Reused local-admin passwords make a single SAM dump a path across many machines.
What the SAM is
The SAM is a registry hive (HKLM\SAM) holding the local user accounts and their password hashes for one Windows machine. These are local accounts (like the built-in Administrator), separate from domain accounts.
The hashes are stored as NT hashes and protected with the machine’s boot key, which lives in the SYSTEM hive. That is why dumping the SAM requires the SYSTEM hive too, one without the other is not enough.
The dump and payload
With local admin or SYSTEM, the attacker grabs both hives and extracts the hashes:
- Save the hives:
reg save HKLM\SAM sam.hivandreg save HKLM\SYSTEM system.hiv - Extract local NT hashes offline:
secretsdump.py -sam sam.hiv -system system.hiv LOCAL - Or live, in memory, with a credential tool that reads the SAM directly.
The result is every local account’s NT hash, ready to crack or use via Pass-the-Hash. Documented techniques shown for defenders.
How to defend
- Use [LAPS](/learn/active-directory/what-is-laps) so every machine has a unique local-admin password and one SAM dump unlocks only that host.
- Limit local-administrator rights, the prerequisite for dumping the SAM.
- Enable [Credential Guard](/learn/active-directory/what-is-credential-guard) and restrict debug/SYSTEM access.
- Detect
reg saveof SAM/SYSTEM and suspicious access to the hives. - Disable NTLM where possible so a passed local hash is less useful.
References
- [1]MITRE ATT&CK: OS Credential Dumping (T1003)(MITRE)
- [2]Microsoft: Windows credential security(Microsoft)
- [3]MITRE ATT&CK: Credential Access (TA0006)(MITRE)