S0008 gsecdump
gsecdump is a publicly-available credential dumper used to obtain password hashes and LSA secrets from Windows operating systems. 1
| Item | Value |
|---|---|
| ID | S0008 |
| Associated Names | |
| Type | TOOL |
| Version | 1.2 |
| Created | 31 May 2017 |
| Last Modified | 22 September 2022 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1003 | OS Credential Dumping | - |
| enterprise | T1003.002 | Security Account Manager | gsecdump can dump Windows password hashes from the SAM.1 |
| enterprise | T1003.004 | LSA Secrets | gsecdump can dump LSA secrets.1 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0027 | Threat Group-3390 | 3 |
| G0131 | Tonto Team | 4 |
| G0006 | APT1 | 5 |
| G0060 | BRONZE BUTLER | 67 |
| G0011 | PittyTiger | 8 |
References
-
TrueSec. (n.d.). gsecdump v2.0b5. Retrieved September 29, 2015. ↩↩↩
-
McAfee® Foundstone® Professional Services and McAfee Labs™. (2011, February 10). Global Energy Cyberattacks: “Night Dragon”. Retrieved February 19, 2018. ↩
-
Dell SecureWorks Counter Threat Unit Threat Intelligence. (2015, August 5). Threat Group-3390 Targets Organizations for Cyberespionage. Retrieved August 18, 2018. ↩
-
Daniel Lughi, Jaromir Horejsi. (2020, October 2). Tonto Team - Exploring the TTPs of an advanced threat actor operating a large infrastructure. Retrieved October 17, 2021. ↩
-
Mandiant. (n.d.). APT1 Exposing One of China’s Cyber Espionage Units. Retrieved July 18, 2016. ↩
-
Counter Threat Unit Research Team. (2017, October 12). BRONZE BUTLER Targets Japanese Enterprises. Retrieved January 4, 2018. ↩
-
DiMaggio, J. (2016, April 28). Tick cyberespionage group zeros in on Japan. Retrieved July 16, 2018. ↩
-
Bizeul, D., Fontarensky, I., Mouchoux, R., Perigaud, F., Pernet, C. (2014, July 11). Eye of the Tiger. Retrieved September 29, 2015. ↩