S0005: Windows Credential Editor

Windows Credential Editor is a Windows password-dumping tool associated in ATT&CK with LSASS memory credential access. For leaders, its importance is not the tool name itself but what its presence can imply: an attacker or unauthorized administrator may be trying to obtain reusable credentials that can enable lateral movement and broader compromise.

Executive priority

Prioritize this as an identity and incident-response readiness issue. If a password-dumping tool is observed on Windows systems, leadership should expect decisions around credential reset scope, privileged account review, lateral movement investigation, and evidence preservation. The ATT&CK relationships also show use by multiple espionage and financially motivated groups, making coverage relevant for organizations concerned with payment data, government, defense, manufacturing, hospitality, telecommunications, and other targeted sectors; however, local exposure must be validated with internal telemetry.

Technical view

ATT&CK lists Windows Credential Editor as a Windows password dumping tool and relates it to T1003.001, LSASS Memory, under credential access. SOC and IR teams should validate whether they can detect suspicious access to LSASS, unexpected credential-dumping utilities, and administrator or SYSTEM-context processes interacting with credential material. Because MITRE provides no official detection text for this software object, detection engineering should be based on the related LSASS Memory behavior, internal baselines, endpoint telemetry, and confirmed tool artifacts where available.

Likely telemetry

Windows endpoint process creation events, including command-line and parent-child process context where collected
EDR or host telemetry showing process access to LSASS memory
Security events for privileged logon, administrative execution, or SYSTEM-context activity
File creation, execution, or quarantine events for suspicious credential-dumping utilities
Credential access alerts from endpoint protection or managed detection tooling

Detection direction

Validate visibility into LSASS process access on Windows endpoints, especially from unusual processes or administrative sessions.
Tune detections to distinguish legitimate administrative/security tooling from unauthorized credential-dumping behavior; false positives may occur where memory inspection or security tools are used.
Correlate suspected tool execution with privileged logons, new remote sessions, and subsequent authentication activity rather than treating a single alert in isolation.
Use the related T1003.001 context to drive detection coverage because the software object itself has no official MITRE detection guidance.
Review whether high-value servers, domain administration workstations, and payment or operationally critical Windows systems have equivalent telemetry coverage.

Mitigation priorities

Reduce unnecessary local administrator and privileged account exposure on Windows systems.
Harden credential storage and LSASS protection controls where appropriate for the environment.
Limit and monitor tools or workflows that require memory access to sensitive processes.
Prepare IR playbooks for credential-dumping events, including containment, credential rotation, and lateral movement scoping.
Use findings as compliance and audit evidence for privileged access monitoring, endpoint logging, and incident response readiness.

Analyst notes and limits

The relationship set indicates use by several named ATT&CK groups and a direct behavioral link to LSASS Memory credential access. This supports treating the tool as a meaningful credential-risk indicator, but it does not by itself prove current targeting, compromise, or sector-specific exposure in any given environment.

MITRE provides a short software description and no official detection guidance for this object. Tactics are not specified on the tool object, and defensive recommendations must be validated against the related T1003.001 behavior and the organization’s actual Windows logging, EDR coverage, identity architecture, and administrative practices.

Official MITRE ATT&CK definition

Windows Credential Editor

Windows Credential Editor is a password dumping tool. [1]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

Filter related techniques 1 rows

Domain	ID	Name	Relationship / procedure
Enterprise	T1003.001	LSASS Memory Sub-technique	Windows Credential Editor can dump credentials.CitationAmplia WCE

Associated objects

Groups, software, and campaigns

G0065: Leviathan

Leviathan is a Chinese state-sponsored cyber espionage group that has been attributed to the Ministry of State Security's (MSS) Hainan State Security Department and an affiliated front company.[1] Active since at least 2009, Leviathan has targeted the following sectors: academia, aerospace/aviation, biomedical, defense industrial base, government, healthcare, manufacturing, maritime, and transportation across the US, Canada, Australia, Europe, the Middle East, and Southeast Asia.[1][2][3][4]

G0053: FIN5

FIN5 is a financially motivated threat group that has targeted personally identifiable information and payment card information. The group has been active since at least 2008 and has targeted the restaurant, gaming, and hotel industries. The group is made up of actors who likely speak Russian. [1] [2] [3]

G0087: APT39

APT39 is one of several names for cyber espionage activity conducted by the Iranian Ministry of Intelligence and Security (MOIS) through the front company Rana Intelligence Computing since at least 2014. APT39 has primarily targeted the travel, hospitality, academic, and telecommunications industries in Iran and across Asia, Africa, Europe, and North America to track individuals and entities considered to be a threat by the MOIS.[1][2][3][4][5]

G0037: FIN6

FIN6 is a cyber crime group that has stolen payment card data and sold it for profit on underground marketplaces. This group has aggressively targeted and compromised point of sale (PoS) systems in the hospitality and retail sectors.[1][2]

G0093: GALLIUM

GALLIUM is a cyberespionage group that has been active since at least 2012, primarily targeting telecommunications companies, financial institutions, and government entities in Afghanistan, Australia, Belgium, Cambodia, Malaysia, Mozambique, the Philippines, Russia, and Vietnam. This group is particularly known for launching Operation Soft Cell, a long-term campaign targeting telecommunications providers.[1] Security researchers have identified GALLIUM as a likely Chinese state-sponsored group, based in part on tools used and TTPs commonly associated with Chinese threat actors.[1][2][3]

G0027: Threat Group-3390

Threat Group-3390 is a Chinese threat group that has extensively used strategic Web compromises to target victims.[1] The group has been active since at least 2010 and has targeted organizations in the aerospace, government, defense, technology, energy, manufacturing and gambling/betting sectors.[2][3][4]

G0060: BRONZE BUTLER

BRONZE BUTLER is a cyber espionage group with likely Chinese origins that has been active since at least 2008. The group primarily targets Japanese organizations, particularly those in government, biotechnology, electronics manufacturing, and industrial chemistry.[1][2][3]

Relationship explorer

All related ATT&CK context

uses · Group G0065: Leviathan Enterprise uses · Group G0053: FIN5 Enterprise uses · Group G0087: APT39 Enterprise uses · Group G0037: FIN6 Enterprise uses · Technique T1003.001: LSASS Memory Enterprise uses · Group G0093: GALLIUM Enterprise uses · Group G0027: Threat Group-3390 Enterprise uses · Group G0060: BRONZE BUTLER Enterprise

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release: 19.1
Object version: 1.1
Created: May 31, 2017, 21:32 UTC (UTC+00:00)
Modified: Sep 12, 2024, 15:17 UTC (UTC+00:00)
Raw hash: ad7f3c63c6c2cd30...

Imported snapshots across ATT&CK releases (1)

Release	Bundle imported	Object version	Modified	Status	Raw hash
19.1	May 18, 2026, 07:08 UTC (UTC+00:00)	1.1	Sep 12, 2024, 15:17 UTC (UTC+00:00)	Current bundle	`ad7f3c63c6c2…`

Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy

Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

[1]
Amplia WCE

Amplia Security. (n.d.). Windows Credentials Editor (WCE) F.A.Q.. Retrieved September 12, 2024.
Open source URL
[2]
mitre-attack S0005
Open source URL

Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use

Analyst context for executives and security teams