← Back to ATT&CK index
T1003.004sub-technique
OS Credential Dumping: LSA Secrets
View on attack.mitre.org →4 syscalls implement this technique
- NtOpenKey
Opens an existing registry key — the kernel entry behind RegOpenKeyEx, used to reach SAM, SECURITY and persistence hives.
- NtOpenKeyEx
Extended variant of NtOpenKey accepting OpenOptions — required for symlink-following and backup-semantics opens.
- NtLoadKey
Mounts a registry hive file under a target key — the syscall behind offline SAM/SYSTEM loading.
- NtSaveKey
Writes a live registry key (with subtree) to a hive file — the kernel side of SAM/SECURITY theft.