S0120: Fgdump
Analyst context for executives and security teams
Fgdump matters because it is a Windows password-hash dumping tool. In practical terms, its presence or use points to credential-access risk: an intruder with sufficient host privileges may try to obtain local account password hashes from Windows systems and use them to expand access. For leaders, this is less about one named tool and more about whether the organization can prevent, detect, and investigate credential material extraction from Windows endpoints.
Executive priority
Prioritize this as an identity and incident-response readiness issue. The related ATT&CK context maps Fgdump to Security Account Manager credential access on Windows, which requires SYSTEM-level access. Executives should ask whether Windows endpoint telemetry, privileged access controls, and incident playbooks are strong enough to prove when local credential stores are accessed, which accounts may be exposed, and what containment actions are required. This is also relevant to audit evidence for privileged access monitoring and credential protection controls.
Technical view
ATT&CK identifies Fgdump as a Windows password hash dumper and relates it to T1003.002, Security Account Manager, under credential access. SOC and IR teams should validate visibility for suspicious access to SAM-related credential material, execution of known or renamed hash-dumping utilities, privilege escalation to SYSTEM context, and follow-on account activity from the same host or local accounts. Because MITRE provides no object-specific detection guidance for Fgdump, detection engineering should be based on the related technique behavior and local Windows telemetry rather than tool name alone.
Likely telemetry
- Windows endpoint process execution telemetry, including command-line and parent-child process context where available
- Endpoint detection and response alerts or events for credential dumping or suspicious access to local credential stores
- Windows Security event logs relevant to privileged logon, service creation, and administrative activity
- Registry and file access telemetry involving SAM-related locations where collected
- Account activity for local users after suspected credential access
Detection direction
- Do not rely only on the literal tool name Fgdump; validate behavior associated with SAM credential extraction and SYSTEM-level activity.
- Tune detections around unusual processes, services, or administrative tooling that access local credential material on Windows hosts.
- Correlate suspected dumping activity with privileged logons, new services, remote administration, and subsequent local account authentication.
- Separate legitimate administrative or forensic activity from suspicious behavior using approved tool inventories, change records, and administrator identity context.
- Confirm whether endpoint telemetry captures process lineage, command line, registry/file access, and privilege context; gaps here materially limit confidence.
Mitigation priorities
- Reduce opportunities for local credential exposure by limiting and monitoring administrative and SYSTEM-level access on Windows endpoints.
- Harden privileged access practices for local administrator accounts and validate that account management controls are documented for audit and incident response.
- Ensure endpoint monitoring is deployed to Windows systems where credential material exposure would create material business risk.
- Prepare IR procedures for suspected password-hash dumping, including host isolation, account scoping, credential reset decisions, and evidence preservation.
- Use the related ATT&CK technique T1003.002 to guide control validation rather than treating Fgdump as a standalone tool problem.
Analyst notes and limits
The supplied ATT&CK object is sparse: Fgdump is described only as a Windows password hash dumper, with a relationship to Security Account Manager credential access. The strongest defensive value comes from validating Windows credential-access monitoring and privileged access governance around T1003.002.
MITRE provides no official detection text, no tactics directly on the tool object, and no aliases or labels in the supplied fields. This take does not assert active exploitation, specific actor use, guaranteed detection, or applicability outside Windows. Local environment telemetry is required to determine actual exposure and coverage.
Fgdump
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1003.002 | Security Account Manager Sub-technique | Fgdump can dump Windows password hashes.CitationMandiant APT1 |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | beb949b9359b… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Mandiant APT1
Mandiant. (n.d.). APT1 Exposing One of China’s Cyber Espionage Units. Retrieved July 18, 2016.
Open source URL -
[2]
mitre-attack S0120Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.