Skip to content
/ RegSave Public

A .NET implementation to dump SAM / SECURITY / SYSTEM registry hives

49 stars 12 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

EncodeGroup/RegSave

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

1 Commit
Properties
Properties
 
 
Interop.cs
Interop.cs
 
 
Privileges.cs
Privileges.cs
 
 
Program.cs
Program.cs
 
 
README.md
README.md
 
 
Reg.cs
Reg.cs
 
 
RegSave.csproj
RegSave.csproj
 
 
RegSave.sln
RegSave.sln
 
 

Repository files navigation

RegSave

A .NET 3.5 application that will dump SAM / SYSTEM / SECURITY registry keys to a path of your choosing.

Usage

regsave.exe c:\Users\USER\Appdata\Local
execute-assembly /opt/CS/toolkit/regsave.exe c:\Users\USER\Appdata\Local

Collect the files and then parse them with Impacket secretsdump

secretsdump.py -sam samantha.txt -security secundum.txt -system systemless.txt LOCAL

Detection

MITRE 1003.002

Look for Event ID 4656 after configuring audit policy.

More info at Detecting Attempts to steal passwords from the registry

About

A .NET implementation to dump SAM / SECURITY / SYSTEM registry hives

Resources

Readme
Activity
Custom properties

Stars

49 stars

Watchers

4 watching

Forks

12 forks
Report repository

Languages