S0008: gsecdump
Analyst context for executives and security teams
gsecdump matters because it represents a simple, publicly available way to dump Windows credential material: password hashes from the Security Account Manager and LSA secrets that may include service account credentials. For leaders, the business issue is not the tool itself but whether a compromised Windows host can quickly become a broader identity compromise. If defenders cannot see credential-dumping behavior or cannot limit where privileged and service credentials exist, an incident can move from one endpoint to enterprise-wide access decisions quickly.
Executive priority
Prioritize gsecdump as an identity-risk and incident-readiness validation item for Windows environments. It is linked by ATT&CK to credential access techniques for SAM and LSA Secrets, and relationships show historical use by multiple espionage groups and the Night Dragon campaign, including activity described against energy and related sectors. Executives should ask whether SOC, IR, and IAM teams can prove collection and response coverage for Windows credential dumping, especially on servers, administrator workstations, and systems that may hold service account credentials.
Technical view
ATT&CK identifies gsecdump as a Windows credential dumper used to obtain password hashes and LSA secrets. It maps to T1003.002 Security Account Manager and T1003.004 LSA Secrets under credential access. Because no official ATT&CK detection text is provided for this software object, defenders should validate coverage through the related techniques: process execution visibility, registry access to sensitive credential locations, attempts requiring SYSTEM-level access, and post-compromise use of dumped hashes or secrets. Detection engineering should focus on behavior and access patterns rather than only the tool name, because public tools may be renamed or wrapped by other execution methods.
Likely telemetry
- Windows process creation and command-line telemetry from endpoints and servers
- Endpoint detection telemetry for credential-dumping behavior
- Windows registry access telemetry involving SAM and SECURITY/Policy/Secrets-related locations
- Privilege and token activity indicating SYSTEM-level execution or suspicious elevation
- File creation, staging, or execution records for credential-dumping utilities
Detection direction
- Validate detections for the related techniques T1003.002 and T1003.004, not just the literal gsecdump filename.
- Tune for suspicious access to SAM and LSA Secrets material, especially when performed by unusual processes, from non-administrative tools, or outside approved maintenance windows.
- Correlate credential-dumping signals with recent privilege escalation, remote execution, or lateral movement indicators where available.
- Account for false positives from legitimate security testing, incident response collection, and administrative tools; require change tickets or approved tool allowlists where possible.
- Confirm telemetry exists on high-value Windows assets, domain administration workstations, servers, and systems running service accounts; endpoint-only coverage gaps can materially weaken detection.
Mitigation priorities
- Reduce credential exposure first: limit local administrator use, review service account placement, and avoid unnecessary privileged credentials on endpoints.
- Harden and monitor Windows hosts that can expose SAM or LSA secrets, especially systems where SYSTEM-level compromise would create broader access.
- Use least privilege and administrative tiering concepts to reduce the value of credentials available on a compromised host.
- Maintain tested incident response procedures for suspected credential dumping, including credential rotation decisions for local, service, and privileged accounts.
- Use managed detection or internal SOC validation to confirm that credential access alerts are actionable, investigated, and tied to containment playbooks.
Analyst notes and limits
The strongest decision value is identity containment. ATT&CK provides no dedicated detection guidance for gsecdump, so practical coverage should be assessed through the linked credential-access techniques and local Windows telemetry. Relationship context shows this tool has been associated in ATT&CK with several named groups and one campaign, but that should be used for prioritization and threat-informed defense rather than as evidence of current activity in any environment.
This take is based only on the supplied ATT&CK software description, external references, and relationships. The object has no ATT&CK tactics listed for the tool itself, no official detection field, and no supplied procedure-level detail. Local validation is required to determine whether gsecdump, related tooling, or equivalent credential-dumping behavior is present or detectable in a specific environment.
gsecdump
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1003.002 | Security Account Manager Sub-technique | gsecdump can dump Windows password hashes from the SAM.CitationMicrosoft Gsecdump |
| Enterprise | T1003.004 | LSA Secrets Sub-technique | gsecdump can dump LSA secrets.CitationTrueSec Gsecdump |
Groups, software, and campaigns
G0027: Threat Group-3390
Threat Group-3390 is a Chinese threat group that has extensively used strategic Web compromises to target victims.[1] The group has been active since at least 2010 and has targeted organizations in the aerospace, government, defense, technology, energy, manufacturing and gambling/betting sectors.[2][3][4]
G0006: APT1
G0011: PittyTiger
PittyTiger is a threat group believed to operate out of China that uses multiple different types of malware to maintain command and control.[1][2]
G0131: Tonto Team
Tonto Team is a suspected Chinese state-sponsored cyber espionage threat group that has primarily targeted South Korea, Japan, Taiwan, and the United States since at least 2009; by 2020 they expanded operations to include other Asian as well as Eastern European countries. Tonto Team has targeted government, military, energy, mining, financial, education, healthcare, and technology organizations, including through the Heartbeat Campaign (2009-2012) and Operation Bitter Biscuit (2017).[1][2][3][4][5][6]
G0060: BRONZE BUTLER
BRONZE BUTLER is a cyber espionage group with likely Chinese origins that has been active since at least 2008. The group primarily targets Japanese organizations, particularly those in government, biotechnology, electronics manufacturing, and industrial chemistry.[1][2][3]
C0002: Night Dragon
Night Dragon was a cyber espionage campaign that targeted oil, energy, and petrochemical companies, along with individuals and executives in Kazakhstan, Taiwan, Greece, and the United States. The unidentified threat actors searched for information related to oil and gas field production systems, financials, and collected data from SCADA systems. Based on the observed techniques, tools, and network activities, security researchers assessed the campaign involved a threat group based in China.[1]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.2 | Current bundle | 38668eb05950… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
TrueSec Gsecdump
TrueSec. (n.d.). gsecdump v2.0b5. Retrieved November 17, 2024.
Open source URL -
[2]
mitre-attack S0008Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.