2

I am researching the way an attacker would get a machine credentials. I figured the most common methods are to dump 

hklm\sam
hklm\security 
hklm\system

I was able to figure what information is stored in the SAM and why would I want to save it, but wasnt able to figure the difference between the other 2 registries.

I have read many manuals by now, and the explanations for both always seem very similar, so I cant tell what is the difference

GBouffard
  • 1,125
  • 4
  • 11
  • 24
Knightwish
  • 51
  • 1
  • 4
  • System contains a lot more stuff, hardware and software configuration etc. – Anders Oct 17 '19 at 13:48
  • @Anders , Thank you very much. I think I was able to figure in more depth about the actual diffrences, hope I am right: LSA secret, stored under HKLM\security and contains cached domain records ....... syskey, stored under HKLM\`system – Knightwish Nov 04 '19 at 15:20
  • 1
    Sounds about right, syskey was added to stop the first NTLM dump tools. – Anders Nov 04 '19 at 15:30

0 Answers0