https://github.com/EncodeGroup/RegSave

A .NET implementation to dump SAM / SECURITY / SYSTEM registry hives
https://github.com/EncodeGroup/RegSave

Last synced: 3 months ago
JSON representation

A .NET implementation to dump SAM / SECURITY / SYSTEM registry hives

Host: GitHub
URL: https://github.com/EncodeGroup/RegSave
Owner: EncodeGroup
Created: 2020-09-25T11:06:48.000Z (over 4 years ago)
Default Branch: master
Last Pushed: 2020-09-25T11:10:30.000Z (over 4 years ago)
Last Synced: 2023-10-20T07:13:17.948Z (over 1 year ago)
Language: C#
Homepage:
Size: 4.88 KB
Stars: 36
Watchers: 4
Forks: 5
Open Issues: 0
Metadata Files:
- Readme: README.md

Awesome Lists containing this project

awesome-hacking-lists - EncodeGroup/RegSave - A .NET implementation to dump SAM / SECURITY / SYSTEM registry hives (C# #)

README

# RegSave

A .NET 3.5 application that will dump SAM / SYSTEM / SECURITY registry keys to a path of your choosing.

## Usage

```
regsave.exe c:\Users\USER\Appdata\Local
execute-assembly /opt/CS/toolkit/regsave.exe c:\Users\USER\Appdata\Local
```
Collect the files and then parse them with [Impacket secretsdump](https://github.com/SecureAuthCorp/impacket)

```
secretsdump.py -sam samantha.txt -security secundum.txt -system systemless.txt LOCAL
```

## Detection
[MITRE 1003.002](https://attack.mitre.org/techniques/T1003/002/)

Look for Event ID 4656 after configuring audit policy.

More info at
[Detecting Attempts to steal passwords from the registry](https://medium.com/threatpunter/detecting-attempts-to-steal-passwords-from-the-registry-7512674487f8)

ecosyste.ms

Data

Tools

Indexes

Applications

Experiments

Awesome

https://github.com/EncodeGroup/RegSave

Awesome Lists containing this project

README