Live Active security incident? Get immediate response
MITRE ATT&CK® Detection Strategy

DET0085: Credential Dumping from SAM via Registry Dump and Local File Access

This detection strategy matters because it is tied to attempts to obtain local Windows account credential material from the Security Account Manager (SAM)....

EnterpriseDET0085Detection StrategyObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This detection strategy matters because it is tied to attempts to obtain local Windows account credential material from the Security Account Manager (SAM). For leaders, the practical issue is not just credential theft; it is whether the organization can prove it would notice suspicious access to sensitive local account data before an intruder turns one compromised host into broader access.

Executive priority

Prioritize this as a credential-access readiness question for Windows environments. Security leaders should ask whether SOC, incident response, and compliance teams have evidence of monitoring around sensitive registry and local file access associated with the SAM, and whether privileged local account exposure is understood. The object has no official MITRE detection text, so the business decision should focus on validating actual telemetry and response playbooks rather than assuming coverage exists.

Technical view

This strategy detects ATT&CK technique T1003.002, Security Account Manager, under the credential-access tactic. The related technique is Windows-specific and notes that SAM enumeration requires SYSTEM-level access. SOC and IR teams should validate whether they collect and retain evidence of suspicious access to SAM-related registry or local file artifacts, especially when performed by unexpected processes, users, or elevated contexts. Detection engineering should correlate sensitive SAM access with privilege level, process lineage, host role, and prior authentication or elevation activity, while avoiding claims of coverage until local logging confirms visibility.

Likely telemetry

  • Windows security and audit events related to privileged local activity
  • Process creation and process lineage on Windows hosts
  • Registry access or registry object auditing where enabled
  • File access auditing for sensitive local system files where enabled
  • Endpoint detection telemetry showing elevated process behavior

Detection direction

  • Validate that the environment can observe access to SAM-related registry or local file locations; many environments do not enable detailed registry or file auditing by default.
  • Tune for unusual process lineage, unexpected administrative tools, or nonstandard processes accessing sensitive credential stores rather than alerting on file names alone.
  • Correlate suspected SAM access with evidence of SYSTEM-level execution, because the related ATT&CK technique states SAM enumeration requires SYSTEM-level access.
  • Separate legitimate administrative, backup, forensic, or security tooling from suspicious behavior through allowlisting, change windows, host role context, and approved tool inventories.
  • Use the relationship to T1003.002 as the analytic anchor; the detection-strategy object itself provides no official detection logic or platform list.

Mitigation priorities

  • Harden and monitor privileged local administrator and SYSTEM-level pathways on Windows hosts.
  • Limit and audit use of local accounts, especially where local administrator credentials are shared or unmanaged.
  • Enable appropriate endpoint, process, registry, and file-access telemetry on high-value Windows systems before relying on this detection strategy.
  • Ensure incident response playbooks treat suspected SAM access as a credential-access event requiring credential exposure assessment and containment decisions.
  • Document logging coverage and exceptions as compliance evidence for credential protection and privileged access monitoring.
Analyst notes and limits

The supplied ATT&CK object is a detection strategy named Credential Dumping from SAM via Registry Dump and Local File Access. It has no official description, no official detection text, and no platforms listed directly on the object. The only technical context comes from its relationship to T1003.002 Security Account Manager, which is a Windows credential-access technique involving attempts to extract credential material from the SAM database.

This take is intentionally conservative. It does not assert active exploitation, attribution, impact, or guaranteed detectability. Local validation is required to determine whether registry access, file access, process creation, and privileged execution telemetry are collected with enough fidelity to support detection.

Official MITRE ATT&CK definition

Credential Dumping from SAM via Registry Dump and Local File Access

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1003.002 Security Account Manager Sub-technique This object detects Security Account Manager.
Relationship explorer

All related ATT&CK context

detects · Technique T1003.002: Security Account Manager Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
d0e7ccd7f1e6e04b...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle d0e7ccd7f1e6…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DET0085
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use