HashDump‑BypassEDR — a toolkit for extracting NT hashes on Windows bypassing EDR

🧩 HashDump‑BypassEDR — a toolkit for extracting NT hashes on Windows bypassing EDR

A set of utilities and techniques for extracting user password hashes in Windows while evading EDR detection. The core idea is to leverage the built‑in reg.exe utility to export the registry hives SAM, SYSTEM, SECURITY, which doesn't trigger behavioral monitoring. You also need to run BootKey.exe to extract the boot key value. Afterward, the exported files are processed locally in offline mode using the RegReduction.ps1 script, which then allows loading the results into secretsdump.py to extract NT hashes.

Features: 📍Does not require administrator privileges. 📍Compatible with Windows 10/11 and Server 2022/2025.

Compared to traditional lsass.exe dumpers и mimikatz, HashDump‑BypassEDR avoids direct access to the LSASS process and is therefore less likely to be blocked by EDR, though it requires step‑by‑step export and offline processing, which reduces operational speed.

📎 Tool: https://github.com/AabyssZG/HashDump-BypassEDR

💬 Discuss