T1003.005SubTechniquecredential-accessagent-callable

T1003.005Cached Domain Credentials

Sub-technique of T1003

Platforms: Windows

ATT&CK version: 14.1

What it is

Adversaries may attempt to access cached domain credentials used to allow authentication to occur in the event a domain controller is unavailable.(Citation: Microsoft - Cached Creds) On Windows Vista and newer, the hash format is DCC2 (Domain Cached Credentials version 2) hash, also known as MS-Cache v2 hash.(Citation: PassLib mscache) The number of default cached credentials varies and can be altered per system. This hash does not allow pass-the-hash style attacks, and instead requires [Password Cracking](https://attack.mitre.org/techniques/T1110/002) to recover the plaintext password.(Citation: ired mscache) With SYSTEM access, the tools/utilities such as [Mimikatz](https://attack.mitre.org/software/S0002), [Reg](https://attack.mitre.org/software/S0075), and secretsdump.py can be used to extract the cached credentials. Note: Cached credentials for Windows Vista are derived using PBKDF2.(Citation: PassLib mscache)

ATT&CK tactics· 1

Credential Access

References

  1. https://attack.mitre.org/techniques/T1003/005
  2. https://passlib.readthedocs.io/en/stable/lib/passlib.hash.msdcc2.html
  3. https://ired.team/offensive-security/credential-access-and-credential-dumping/dumping-and-cracking-mscash-cached-domain-credentials
  4. https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh994565(v%3Dws.11)
  5. https://github.com/mattifestation/PowerSploit
Sourced from MITRE ATT&CK Enterprise v14.1. Curated and contextualized for EU compliance use cases by Adam Lundqvist, Founder at SQUR.