1. Home
  2. Software
  3. gsecdump

gsecdump

gsecdump is a publicly-available credential dumper used to obtain password hashes and LSA secrets from Windows operating systems. [1]

ID: S0008
Type: TOOL
Platforms: Windows
Version: 1.2
Created: 31 May 2017
Last Modified: 22 September 2022
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1003 .002 OS Credential Dumping: Security Account Manager

gsecdump can dump Windows password hashes from the SAM.[2]
.004 OS Credential Dumping: LSA Secrets

gsecdump can dump LSA secrets.[1]

Groups That Use This Software

ID Name References
G0027 Threat Group-3390

[3]
G0006 APT1

[4]
G0011 PittyTiger

[5]
G0131 Tonto Team

[6]
G0060 BRONZE BUTLER

[7][8]

Campaigns

ID Name Description
C0002 Night Dragon

During Night Dragon, threat actors used gsecdump to dump account hashes.[9]

References

  1. TrueSec. (n.d.). gsecdump v2.0b5. Retrieved September 29, 2015.
  2. Vincent Tiu. (2017, September 15). HackTool:Win32/Gsecdump. Retrieved January 10, 2024.
  3. Dell SecureWorks Counter Threat Unit Threat Intelligence. (2015, August 5). Threat Group-3390 Targets Organizations for Cyberespionage. Retrieved August 18, 2018.
  4. Mandiant. (n.d.). APT1 Exposing One of China’s Cyber Espionage Units. Retrieved July 18, 2016.
  5. Bizeul, D., Fontarensky, I., Mouchoux, R., Perigaud, F., Pernet, C. (2014, July 11). Eye of the Tiger. Retrieved September 29, 2015.
  1. Daniel Lughi, Jaromir Horejsi. (2020, October 2). Tonto Team - Exploring the TTPs of an advanced threat actor operating a large infrastructure. Retrieved October 17, 2021.
  2. Counter Threat Unit Research Team. (2017, October 12). BRONZE BUTLER Targets Japanese Enterprises. Retrieved January 4, 2018.
  3. DiMaggio, J. (2016, April 28). Tick cyberespionage group zeros in on Japan. Retrieved July 16, 2018.
  4. McAfee® Foundstone® Professional Services and McAfee Labs™. (2011, February 10). Global Energy Cyberattacks: “Night Dragon”. Retrieved February 19, 2018.