S0006: pwdump
Analyst context for executives and security teams
pwdump matters because it is a Windows credential-dumping tool associated in ATT&CK with extraction of local account credential material from the Security Account Manager (SAM). For leaders, the practical risk is not the tool name itself; it is whether a compromised Windows host can become a source of reusable credentials that enable broader access and complicate incident containment.
Executive priority
Treat pwdump-related behavior as a credential-access readiness issue. Executives and security leaders should ask whether Windows endpoint telemetry, privileged access controls, and incident response playbooks can quickly answer: which host exposed local account material, which accounts may be affected, and whether the same credentials are reused elsewhere. The ATT&CK relationships show use by multiple named groups and link the tool to T1003.002 Security Account Manager, making it relevant to control prioritization, audit evidence around credential protection, and containment decision-making.
Technical view
ATT&CK lists pwdump as a Windows credential dumper and relates it to T1003.002, Security Account Manager, under credential access. SOC and IR teams should validate visibility for Windows process execution involving known or suspicious credential-dumping utilities, attempts to access SAM-related credential material, and activity occurring with SYSTEM-level privileges, since the related technique notes that SAM enumeration requires SYSTEM-level access. Because ATT&CK provides no official detection text for this software object, local detection engineering should be based on endpoint behavior, privilege context, and correlation with credential-access technique coverage rather than the tool name alone.
Likely telemetry
- Windows endpoint process execution events, including executable name/path and command-line metadata where collected
- File creation or execution evidence for known credential-dumping binaries such as pwdump variants, subject to local naming and hash coverage
- Privilege context for processes, especially activity running as SYSTEM
- Windows Registry or SAM-related access telemetry where available from endpoint security tooling
- Security alerts or EDR observations mapped to credential access or SAM credential dumping
Detection direction
- Validate coverage against ATT&CK technique T1003.002 rather than relying only on exact tool-name matches, because credential dumpers may be renamed or replaced.
- Tune detections around suspicious Windows processes attempting credential-material access with elevated or SYSTEM context.
- Correlate tool execution with host role, user context, recent privilege escalation indicators, and subsequent authentication activity to reduce false positives from authorized security testing or administrative activity.
- Confirm whether managed detection or SOC workflows preserve enough endpoint detail to support containment decisions: affected host, account context, execution time, and suspected credential stores accessed.
- Use the relationship context as prioritization input: this tool is linked in ATT&CK to several groups, but do not treat that alone as attribution without incident-specific evidence.
Mitigation priorities
- Prioritize reduction of unnecessary local administrative and SYSTEM-level access paths on Windows hosts.
- Review local account and credential reuse practices so exposure of one host’s SAM material does not automatically create broad lateral-access risk.
- Ensure endpoint logging and response tooling can isolate a Windows host and collect process, file, privilege, and credential-access evidence during an incident.
- Include SAM credential dumping scenarios in IR playbooks and tabletop exercises, especially decisions around password resets and scoping potentially exposed local accounts.
- Maintain compliance evidence showing credential access monitoring, privileged access governance, and response procedures for Windows endpoints.
Analyst notes and limits
The supplied ATT&CK object is sparse: pwdump is described only as a credential dumper, with Windows as the platform and no official detection guidance. The most useful context comes from the relationship to T1003.002 Security Account Manager and the listed group-use relationships. Defensive planning should therefore focus on credential-access behavior and Windows endpoint evidence rather than assuming a single static indicator.
This take uses only the provided ATT&CK fields, external references, and relationships. It does not assert active exploitation, customer exposure, specific indicators, guaranteed detection logic, or attribution. Local environment data is required to determine whether pwdump or SAM credential dumping is present, authorized, blocked, or detectable.
pwdump
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1003.002 | Security Account Manager Sub-technique | pwdump can be used to dump credentials from the SAM.CitationWikipedia pwdump |
Groups, software, and campaigns
G0087: APT39
APT39 is one of several names for cyber espionage activity conducted by the Iranian Ministry of Intelligence and Security (MOIS) through the front company Rana Intelligence Computing since at least 2014. APT39 has primarily targeted the travel, hospitality, academic, and telecommunications industries in Iran and across Asia, Africa, Europe, and North America to track individuals and entities considered to be a threat by the MOIS.[1][2][3][4][5]
G0045: menuPass
menuPass is a threat group that has been active since at least 2006. Individual members of menuPass are known to have acted in association with the Chinese Ministry of State Security's (MSS) Tianjin State Security Bureau and worked for the Huaying Haitai Science and Technology Development Company.[1][2]
menuPass has targeted healthcare, defense, aerospace, finance, maritime, biotechnology, energy, and government sectors globally, with an emphasis on Japanese organizations. In 2016 and 2017, the group is known to have targeted managed IT service providers (MSPs), manufacturing and mining companies, and a university.[3][4][5][6][7][1][2]
G0053: FIN5
FIN5 is a financially motivated threat group that has targeted personally identifiable information and payment card information. The group has been active since at least 2008 and has targeted the restaurant, gaming, and hotel industries. The group is made up of actors who likely speak Russian. [1] [2] [3]
G0096: APT41
APT41 is a threat group that researchers have assessed as Chinese state-sponsored espionage group that also conducts financially-motivated operations. Active since at least 2012, APT41 has been observed targeting various industries, including but not limited to healthcare, telecom, technology, finance, education, retail and video game industries in 14 countries.[1] Notable behaviors include using a wide range of malware and tools to complete mission objectives. APT41 overlaps at least partially with public reporting on groups including BARIUM and Winnti Group.[2][3]
G0006: APT1
G0027: Threat Group-3390
Threat Group-3390 is a Chinese threat group that has extensively used strategic Web compromises to target victims.[1] The group has been active since at least 2010 and has targeted organizations in the aerospace, government, defense, technology, energy, manufacturing and gambling/betting sectors.[2][3][4]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | d4e21c993053… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Wikipedia pwdump
Wikipedia. (2007, August 9). pwdump. Retrieved June 22, 2016.
Open source URL -
[2]
mitre-attack S0006Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.