MITRE ATT&CK detection coverage

← Back to main site

Home/ MITRE Matrix/ Credential Access/ T1003.002

T1003.002Security Account Manager

T1003.002 — Security Account Manager is a MITRE ATT&CK technique in the Credential Access tactic. Clankerusecase tracks 13 detection use cases covering it and 1 threat-intel article citing it.

Credential Access

View on the matrix → Filter Detection Library MITRE official spec ↗

13Use cases

1Articles

0Sub-techniques

1Tactic

↑ Parent technique: T1003 · OS Credential Dumping

Use cases covering this technique (13)

Azure AD Privileged Authentication Administrator Role Assigned ESCU actions · alerting P Azure AD Privileged Graph API Permission Assigned ESCU actions · alerting P O365 Privileged Graph API Permission Assigned ESCU actions · alerting P Detect Copy of ShadowCopy with Script Block Logging ESCU actions · alerting P Esentutl SAM Copy ESCU actions · hunting P SAM Database File Access Attempt ESCU actions · hunting P Windows Rapid Authentication On Multiple Hosts ESCU actions · alerting P Windows Sensitive Registry Hive Dump Via CommandLine ESCU actions · alerting P Attempted Credential Dump From Registry via Reg exe ESCU actions · alerting P Excel Spawning PowerShell ESCU actions · alerting P Excel Spawning Windows Script Host ESCU actions · alerting P Extraction of Registry Hives ESCU actions · alerting P [LLM] SAM/SECURITY registry hives copied from VSS shadow to Public\Documents as .pdf Bespoke actions · alerting DSΣPDDCS

Articles citing this technique (1)

crit Cloud Atlas activity in the second half of 2025 and early 2026: new tools and a new payload art-219