Adversaries may attempt to extract credential material from the Security Account Manager (SAM) database either through in-memory techniques or through the Windows Registry where the SAM database is stored.
Tactics
TA0006
Sub-technique of
T1003
See: MITRE ATT&CK