1. Home
  2. Software
  3. gsecdump

gsecdump

gsecdump is a publicly-available credential dumper used to obtain password hashes and LSA secrets from Windows operating systems. [1]

ID: S0008
Type: TOOL
Platforms: Windows
Version: 1.1
Created: 31 May 2017
Last Modified: 30 March 2020
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1003 .002 OS Credential Dumping: Security Account Manager

gsecdump can dump Windows password hashes from the SAM.[1]
.004 OS Credential Dumping: LSA Secrets

gsecdump can dump LSA secrets.[1]

Groups That Use This Software

ID Name References
G0014 Night Dragon

[2]
G0060 BRONZE BUTLER

[3][4]
G0006 APT1

[5]
G0011 PittyTiger

[6]
G0027 Threat Group-3390

[7]
G0131 Tonto Team

[8]

References

  1. TrueSec. (n.d.). gsecdump v2.0b5. Retrieved September 29, 2015.
  2. McAfee® Foundstone® Professional Services and McAfee Labs™. (2011, February 10). Global Energy Cyberattacks: “Night Dragon”. Retrieved February 19, 2018.
  3. Counter Threat Unit Research Team. (2017, October 12). BRONZE BUTLER Targets Japanese Enterprises. Retrieved January 4, 2018.
  4. DiMaggio, J. (2016, April 28). Tick cyberespionage group zeros in on Japan. Retrieved July 16, 2018.
  1. Mandiant. (n.d.). APT1 Exposing One of China’s Cyber Espionage Units. Retrieved July 18, 2016.
  2. Bizeul, D., Fontarensky, I., Mouchoux, R., Perigaud, F., Pernet, C. (2014, July 11). Eye of the Tiger. Retrieved September 29, 2015.
  3. Dell SecureWorks Counter Threat Unit Threat Intelligence. (2015, August 5). Threat Group-3390 Targets Organizations for Cyberespionage. Retrieved August 18, 2018.
  4. Daniel Lughi, Jaromir Horejsi. (2020, October 2). Tonto Team - Exploring the TTPs of an advanced threat actor operating a large infrastructure. Retrieved October 17, 2021.