Secretsdump
SecretsDump is a credential-dumping utility from the Impacket framework used to obtain account credentials and password hashes from Windows systems. The provided content explicitly associates it with dumping password hashes, retrieving credentials from the Security Account Manager (SAM), Local Security Authority (LSA) secrets, and extracting account and password information from Active Directory NTDS.dit on domain controllers. Reported tradecraft includes use against domain controllers, obtaining NTDS.dit, and dumping hashes via Impacket modules. The content links SecretsDump to multiple threat actors and campaigns, including Dragonfly, which was reported to have dropped and executed SecretsDump to dump password hashes, as well as menuPass using a modified secretsdump.py. A DHS/FBI alert on Dragonfly activity also states actors installed open-source tools such as Hydra, SecretsDump, and CrackMapExec on compromised staging targets in campaigns affecting government and critical infrastructure sectors including energy, nuclear, water, aviation, and critical manufacturing. Additional guidance in the content notes that attackers can leverage tools such as Mimikatz or secretsdump to retrieve privileged credentials in on-premises Active Directory environments. One SHA256 indicator explicitly labeled as Secretsdump in the content is c3405d9c9d593d75d773c0615254e69d0362954384058ee970a3ec0944519c37.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Dragonfly has dropped and executed SecretsDump to dump password hashes.
Techniques & procedures
4 distinct techniques documented for this family, organized by ATT&CK tactic.
Credential Access
4 techniquesIndicators of Compromise (IoCs):- ... SHA256 c3405d9c9d593d75d773c0615254e69d0362954384058ee970a3ec0944519c37 Secretsdump
Dragonfly has dropped and executed SecretsDump to dump password hashes.
secretsdump, DRSUAPI, and VSS 4 DRSBind behavior, DRSGetNCChanges defaults, VSS execution patterns
Dragonfly has dropped and executed SecretsDump to dump password hashes.
IOCs tracked for this family
2 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Recent activity
10 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A credential dumping tool listed in the IoCs, typically used to extract account secrets from Windows systems.
A credential-dumping tool listed in the IOCs, typically used to extract secrets such as password hashes from Windows systems.
Impacket credential-dumping utility referenced as an IR hunting indicator for credential theft activity.
Impacket credential-dumping utility referenced as a hunting/detection target in the Everest intrusion methodology section.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.