← Back to ATT&CK index
T1003.002sub-technique
OS Credential Dumping: Security Account Manager
View on attack.mitre.org →7 syscalls implement this technique
- NtOpenKey
Opens an existing registry key — the kernel entry behind RegOpenKeyEx, used to reach SAM, SECURITY and persistence hives.
- NtOpenKeyEx
Extended variant of NtOpenKey accepting OpenOptions — required for symlink-following and backup-semantics opens.
- NtLoadKey
Mounts a registry hive file under a target key — the syscall behind offline SAM/SYSTEM loading.
- NtLoadKey2
Loads a registry hive into the configuration tree with a 2-flag wrapper around NtLoadKey.
- NtLoadKeyEx
Modern hive-load syscall — backs RegLoadKeyW, RegLoadAppKeyW and the AppContainer registry virtualization layer.
- NtUnloadKey
Detaches a previously-loaded registry hive from the configuration manager.
- NtSaveKey
Writes a live registry key (with subtree) to a hive file — the kernel side of SAM/SECURITY theft.