GitHub - EncodeGroup/RegSave: A .NET implementation to dump SAM / SECURITY / SYSTEM registry hives
EncodeGroup / RegSave Public
-
Notifications
You must be signed in to change notification settings - Fork 12
Folders and files
| Name | Name | Last commit message | Last commit date | |
|---|---|---|---|---|
Latest commitHistory | ||||
Repository files navigation
RegSave
A .NET 3.5 application that will dump SAM / SYSTEM / SECURITY registry keys to a path of your choosing.
Usage
regsave.exe c:\Users\USER\Appdata\Local
execute-assembly /opt/CS/toolkit/regsave.exe c:\Users\USER\Appdata\Local
Collect the files and then parse them with Impacket secretsdump
secretsdump.py -sam samantha.txt -security secundum.txt -system systemless.txt LOCAL
Detection
Look for Event ID 4656 after configuring audit policy.
More info at Detecting Attempts to steal passwords from the registry
About
A .NET implementation to dump SAM / SECURITY / SYSTEM registry hives