Evidence: SAM Users and Groups
Description: Collect SAM Users and Groups
Category: System
Platform: windows
Short Name: sam
Is Parsed: Yes
Sent to Investigation Hub: Yes
Collect File(s): No
Background
The Security Account Manager (SAM) hive stores local user and group account information. This data is essential for enumerating accounts, SIDs, and group memberships.
Data Collected
This collector gathers structured data about sam users and groups.
Collection Method
This collector parses SAM and related hives to enumerate local users and groups, resolving group memberships into sam_users and sam_groups.
Forensic Value
This evidence is crucial for forensic investigations as it identifies local accounts and privileges, supporting lateral movement and persistence analysis.
