Skip to content

S0005 Windows Credential Editor

Windows Credential Editor is a password dumping tool. 1

Item Value
ID S0005
Associated Names
Type TOOL
Version 1.1
Created 31 May 2017
Last Modified 30 March 2020
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1003 OS Credential Dumping -
enterprise T1003.001 LSASS Memory Windows Credential Editor can dump credentials.1

Groups That Use This Software

ID Name References
G0053 FIN5 23
G0060 BRONZE BUTLER 45
G0087 APT39 67
G0093 GALLIUM 8
G0027 Threat Group-3390 9
G0065 Leviathan 10
G0037 FIN6 11

References

  1. Amplia Security. (n.d.). Windows Credentials Editor (WCE) F.A.Q.. Retrieved December 17, 2015. 

  2. Higgins, K. (2015, October 13). Prolific Cybercrime Gang Favors Legit Login Credentials. Retrieved October 4, 2017. 

  3. Bromiley, M. and Lewis, P. (2016, October 7). Attacking the Hospitality and Gaming Industries: Tracking an Attacker Around the World in 7 Years. Retrieved October 6, 2017. 

  4. Counter Threat Unit Research Team. (2017, October 12). BRONZE BUTLER Targets Japanese Enterprises. Retrieved January 4, 2018. 

  5. DiMaggio, J. (2016, April 28). Tick cyberespionage group zeros in on Japan. Retrieved July 16, 2018. 

  6. Hawley et al. (2019, January 29). APT39: An Iranian Cyber Espionage Group Focused on Personal Information. Retrieved February 19, 2019. 

  7. Higgins, K. (2019, January 30). Iran Ups its Traditional Cyber Espionage Tradecraft. Retrieved May 22, 2020. 

  8. MSTIC. (2019, December 12). GALLIUM: Targeting global telecom. Retrieved January 13, 2021. 

  9. Dell SecureWorks Counter Threat Unit Threat Intelligence. (2015, August 5). Threat Group-3390 Targets Organizations for Cyberespionage. Retrieved August 18, 2018. 

  10. Plan, F., et al. (2019, March 4). APT40: Examining a China-Nexus Espionage Actor. Retrieved March 18, 2019. 

  11. FireEye Threat Intelligence. (2016, April). Follow the Money: Dissecting the Operations of the Cyber Crime Group FIN6. Retrieved June 1, 2016.