Skip to content
AIR Knowledge Base

SAM Users and Groups

Overview

Section titled “Overview”

Evidence: SAM Users and Groups
Description: Collect SAM Users and Groups
Category: System
Platform: windows
Short Name: sam
Is Parsed: Yes
Sent to Investigation Hub: Yes
Collect File(s): No

Background

Section titled “Background”

The Security Account Manager (SAM) hive stores local user and group account information. This data is essential for enumerating accounts, SIDs, and group memberships.

Data Collected

Section titled “Data Collected”

This collector gathers structured data about sam users and groups.

Collection Method

Section titled “Collection Method”

This collector parses SAM and related hives to enumerate local users and groups, resolving group memberships into sam_users and sam_groups.

Forensic Value

Section titled “Forensic Value”

This evidence is crucial for forensic investigations as it identifies local accounts and privileges, supporting lateral movement and persistence analysis.