Skip to content

S0008 gsecdump

gsecdump is a publicly-available credential dumper used to obtain password hashes and LSA secrets from Windows operating systems. 1

Item Value
ID S0008
Associated Names
Type TOOL
Version 1.1
Created 31 May 2017
Last Modified 30 March 2020
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1003 OS Credential Dumping -
enterprise T1003.002 Security Account Manager gsecdump can dump Windows password hashes from the SAM.1
enterprise T1003.004 LSA Secrets gsecdump can dump LSA secrets.1

Groups That Use This Software

ID Name References
G0131 Tonto Team 2
G0027 Threat Group-3390 3
G0014 Night Dragon 4
G0006 APT1 5
G0011 PittyTiger 6
G0060 BRONZE BUTLER 78

References

Back to top