Dumping Hashes from SAM via Registry
Security Accounts Manager (SAM) credential dumping with living off the land binary.
Execution
Dumping the registry hives required for hash extraction:
attacker@victim
Once the files are dumped and exfiltrated, we can dump hashes with samdump2 on kali:
attacker@local
Observations
Sysmon logs with commandlines will reveal credential dump attempts from the registry as expected:
Last updated