FgDump
fgdump is a Windows credential-dumping and password-auditing utility used to obtain Windows password hashes and dump credentials from LSASS. The provided content explicitly describes it as a tool for mass password auditing of Windows systems by dumping credentials from LSASS, and also notes it can dump Windows password hashes, including from the SAM in broader credential-dumping contexts. It is repeatedly listed alongside tools such as Mimikatz, Windows Credential Editor (WCE), pwdump variants, and SecretsDump as a post-exploitation credential access utility. The content associates fgdump with credential dumping tradecraft used by multiple threat actors and intrusion sets: Kaspersky reported DustSquad using the third-party post-exploitation tool fgdump, and joint government/CISA-related material lists FgDump among tools that could be used to obtain credential material similar to SAM/SYSTEM/SECURITY hive and NTDS.dit theft. The malware/tool targets Windows environments and is relevant to post-compromise credential access, lateral movement enablement, and offline password cracking workflows after hash extraction. High-confidence behavior from the content is limited to dumping credentials from LSASS and dumping Windows password hashes; no unique infection vector, persistence mechanism, or specific IOCs for fgdump are provided in the source material.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
We have previously seen DustSquad use third-party post-exploitation tools, such as the password dumping utility fgdump
...the following tools could be used by an actor to obtain the same information: ... FgDump
Techniques & procedures
4 distinct techniques documented for this family, organized by ATT&CK tactic.
Execution
1 techniqueInstallation of Mimikatz driver. Lets hunt it! event_id:7045 AND (event_data.ServiceName:*mimidrv* OR event_data.ImagePath:*mimidrv*)
Credential Access
3 techniquesCredential dumping is the process of obtaining account login and password information from the operating system and software.
LSASS memory contain a lot of sensitive data that can be dumped!... There several ways: • online from ring3 – OpenProcess…; • online from ring0 – use driver for accessing LSASS memory; • offline from LSASS memory dumps; • offline from other sources, that contain LSASS memory.
"The actor may try to exfiltrate the ntds.dit file and the SYSTEM registry hive... to perform password cracking [T1003.003]."
Recent activity
6 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Credential dumping utility used to obtain password hashes and cached credentials from Windows systems; associated with dropped files and service artifacts.
Credential dumping tool used to extract credentials from LSASS to enable lateral movement and privilege escalation.
Password dumping utility used as a post-exploitation tool by DustSquad.
Credential dumping tool referenced for extracting Windows password hashes/credentials.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.