\system32\config\system
) can either be exfiltrated the same way the NTDS.dit file is, or it can be exported with reg save HKLM\SYSTEM 'C:\Windows\Temp\system.save'
.C:\Windows\Temp
.C:\Windows\Temp\NTDS\Active Directory\ntds.dit
C:\Windows\Temp\NTDS\registry\SYSTEM
-use-vss
option. Additionaly, the -exec-method
option can be set to smbexec
, wmiexec
or mmcexec
to specify on which remote command execution method to rely on for the process.