{"id":26896637,"url":"https://github.com/EncodeGroup/RegSave","last_synced_at":"2025-04-01T04:01:17.599Z","repository":{"id":202070428,"uuid":"298549046","full_name":"EncodeGroup/RegSave","owner":"EncodeGroup","description":"A .NET implementation to dump SAM / SECURITY / SYSTEM registry hives","archived":false,"fork":false,"pushed_at":"2020-09-25T11:10:30.000Z","size":5,"stargazers_count":36,"open_issues_count":0,"forks_count":5,"subscribers_count":4,"default_branch":"master","last_synced_at":"2023-10-20T07:13:17.948Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":"C#","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/EncodeGroup.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null}},"created_at":"2020-09-25T11:06:48.000Z","updated_at":"2023-10-20T09:01:37.477Z","dependencies_parsed_at":null,"dependency_job_id":"3f6cf694-c6e6-47f9-821e-9ab6f51f8603","html_url":"https://github.com/EncodeGroup/RegSave","commit_stats":null,"previous_names":["encodegroup/regsave"],"tags_count":null,"template":null,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/EncodeGroup%2FRegSave","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/EncodeGroup%2FRegSave/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/EncodeGroup%2FRegSave/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/EncodeGroup%2FRegSave/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/EncodeGroup","download_url":"https://codeload.github.com/EncodeGroup/RegSave/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":246580463,"owners_count":20800110,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2025-04-01T04:01:16.529Z","updated_at":"2025-04-01T04:01:17.591Z","avatar_url":"https://github.com/EncodeGroup.png","language":"C#","funding_links":[],"categories":["C# #"],"sub_categories":[],"readme":"# RegSave\n\nA .NET 3.5 application that will dump SAM / SYSTEM / SECURITY registry keys to a path of your choosing.\n\n## Usage\n\n```\nregsave.exe c:\\Users\\USER\\Appdata\\Local\nexecute-assembly /opt/CS/toolkit/regsave.exe c:\\Users\\USER\\Appdata\\Local\n```\nCollect the files and then parse them with [Impacket secretsdump](https://github.com/SecureAuthCorp/impacket)\n\n```\nsecretsdump.py -sam samantha.txt -security secundum.txt -system systemless.txt LOCAL\n```\n\n\n## Detection\n[MITRE 1003.002](https://attack.mitre.org/techniques/T1003/002/)\n\nLook for Event ID 4656 after configuring audit policy. \n\nMore info at \r\n[Detecting Attempts to steal passwords from the registry](https://medium.com/threatpunter/detecting-attempts-to-steal-passwords-from-the-registry-7512674487f8)","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FEncodeGroup%2FRegSave","html_url":"https://awesome.ecosyste.ms/projects/github.com%2FEncodeGroup%2FRegSave","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FEncodeGroup%2FRegSave/lists"}