The SAM hive contains a wealth of information that can be used to profile an endpoint's accounts. For domain-joined endpoints, the SAM hive will be present on the domain controller. Non-domain joined endpoints will have a resident SAM hive.
- Behavioral - Persistence (TA0003)
- Account - Creation Time
- Account - Group Membership
- Account - Last Login
- Account - Relative Identifier (RID)
- Windows 11
- Windows 10
- Windows 8
- Windows 7
- Windows Vista
- Windows XP
- File:
%SystemRoot%\System32\config\SAM
- RegistryExplorer (Eric Zimmerman)
Within the SAM hive, the registry key located at SAM\Domains\Accounts\Users will contain the following values for each account:
- Relative Identifier (RID)
- CreatedOn time (Time the account was created)
- Logon Count
- Username
- Password reset questions
- Password Hints
- Last Login Time
- Last Failed Login Time
- Last Password Change Time
Note
If the account in question is authenticating using Microsoft Live, the Logon Count will be 0.