T1003.005: Cached Domain Credentials
| View on MITRE ATT&CK | T1003.005 |
|---|---|
| Tactic(s) | Credential Access |
Data from MITRE ATT&CK®:
Adversaries may attempt to access cached domain credentials used to allow authentication to occur in the event a domain controller is unavailable.(Citation: Microsoft - Cached Creds)
On Windows Vista and newer, the hash format is DCC2 (Domain Cached Credentials version 2) hash, also known as MS-Cache v2 hash.(Citation: PassLib mscache) The number of default cached credentials varies and can be altered per system. This hash does not allow pass-the-hash style attacks, and instead requires Password Cracking to recover the plaintext password.(Citation: ired mscache)
With SYSTEM access, the tools/utilities such as Mimikatz, Reg, and secretsdump.py can be used to extract the cached credentials.
Note: Cached credentials for Windows Vista are derived using PBKDF2.(Citation: PassLib mscache)
© 2024 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.
Cyber Threat Graph Context
Explore how this ATT&CK Technique relates to the wider threat graph
Reporting on this Technique
StopRansomware: Phobos Ransomware
This is a joint Cybersecurity Advisory produced by CISA, the FBI and the Multi-State Information Sharing and Analysis Center (MS-ISAC). It ...
Mitigations for this technique
MITRE ATT&CK Mitigations
User Training
Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.Active Directory Configuration
Configure Active Directory to prevent use of certain techniques; use SID Filtering, etc.Operating System Configuration
Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.Privileged Account Management
Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.Password Policies
Set and enforce secure password policies for accounts.How to detect this technique
MITRE ATT&CK Data Components
Control Validation Tests for this Technique
Use Atomic Red Team tests to test your defenses against this technique.
Sigma Detections for this Technique
Credential Dumping Tools Service Execution - Security
HackTool - Mimikatz Execution
New Generic Credentials Added Via Cmdkey.EXE
Cred Dump Tools Dropped Files
Dumping of Sensitive Hives Via Reg.EXE
Credential Dumping Tools Service Execution - System
Potential Reconnaissance For Cached Credentials Via Cmdkey.EXE
HackTool - Credential Dumping Tools Named Pipe Created
SP800-53 Controls
See which controls can help protect against this MITRE ATT&CK technique. This is based on mappings to associated SP800-53 controls produced by the MITRE Engenuity Center for Threat-Informed Defense.