gsecdump

gsecdump is a publicly-available credential dumper used to obtain password hashes and LSA secrets from Windows operating systems. [1]

ID: S0008
Type: TOOL
Platforms: Windows
Version: 1.1
Created: 31 May 2017
Last Modified: 30 March 2020

Techniques Used

Domain ID Name Use
Enterprise T1003 .002 OS Credential Dumping: Security Account Manager

gsecdump can dump Windows password hashes from the SAM.[1]

.004 OS Credential Dumping: LSA Secrets

gsecdump can dump LSA secrets.[1]

Groups That Use This Software

ID Name References
G0014 Night Dragon

[2]

G0060 BRONZE BUTLER

[3][4]

G0006 APT1

[5]

G0011 PittyTiger

[6]

G0027 Threat Group-3390

[7]

References