T1003.005 Cached Domain Credentials

Adversaries may attempt to access cached domain credentials used to allow authentication to occur in the event a domain controller is unavailable.(Citation: Microsoft - Cached Creds)

On Windows Vista and newer, the hash format is DCC2 (Domain Cached Credentials version 2) hash, also known as MS-Cache v2 hash.(Citation: PassLib mscache) The number of default cached credentials varies and can be altered per system. This hash does not allow pass-the-hash style attacks, and instead requires Password Cracking to recover the plaintext password.(Citation: ired mscache)

On Linux systems, Active Directory credentials can be accessed through caches maintained by software like System Security Services Daemon (SSSD) or Quest Authentication Services (formerly VAS). Cached credential hashes are typically located at /var/lib/sss/db/cache.[domain].ldb for SSSD or /var/opt/quest/vas/authcache/vas_auth.vdb for Quest. Adversaries can use utilities, such as tdbdump, on these database files to dump the cached hashes and use Password Cracking to obtain the plaintext password.(Citation: Brining MimiKatz to Unix)

With SYSTEM or sudo access, the tools/utilities such as Mimikatz, Reg, and secretsdump.py for Windows or Linikatz for Linux can be used to extract the cached credentials.(Citation: Brining MimiKatz to Unix)

Note: Cached credentials for Windows Vista are derived using PBKDF2.(Citation: PassLib mscache)

View in MITRE ATT&CK®

CRI Profile Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
PR.PS-01.01 Configuration baselines Mitigates T1003.005 Cached Domain Credentials
Comments
This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation.
References
    PR.PS-01.02 Least functionality Mitigates T1003.005 Cached Domain Credentials
    Comments
    TThis diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques.
    References
      DE.CM-06.02 Third-party access monitoring Mitigates T1003.005 Cached Domain Credentials
      Comments
      This diagnostic statement protects against Cached Domain Credentials through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems.
      References
        PR.PS-01.03 Configuration deviation Mitigates T1003.005 Cached Domain Credentials
        Comments
        This diagnostic statement provides protection from OS Credential Dumping: Cached Domain Credentials through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baseline configuration of the Operating System and integrity checking can help protect against adversaries attempting to compromise and elevate privileges.
        References
          PR.AA-01.01 Identity and credential management Mitigates T1003.005 Cached Domain Credentials
          Comments
          This diagnostic statement protects against Cached Domain Credentials through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
          References

            NIST 800-53 Mappings

            Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
            CA-07 Continuous Monitoring mitigates T1003.005 Cached Domain Credentials
            CM-06 Configuration Settings mitigates T1003.005 Cached Domain Credentials
            CM-05 Access Restrictions for Change mitigates T1003.005 Cached Domain Credentials
            IA-05 Authenticator Management mitigates T1003.005 Cached Domain Credentials
            IA-04 Identifier Management mitigates T1003.005 Cached Domain Credentials
            SC-28 Protection of Information at Rest mitigates T1003.005 Cached Domain Credentials
            SC-39 Process Isolation mitigates T1003.005 Cached Domain Credentials
            SI-03 Malicious Code Protection mitigates T1003.005 Cached Domain Credentials
            CM-02 Baseline Configuration mitigates T1003.005 Cached Domain Credentials
            IA-02 Identification and Authentication (Organizational Users) mitigates T1003.005 Cached Domain Credentials
            CM-07 Least Functionality mitigates T1003.005 Cached Domain Credentials
            SI-04 System Monitoring mitigates T1003.005 Cached Domain Credentials
            AC-02 Account Management mitigates T1003.005 Cached Domain Credentials
            AC-03 Access Enforcement mitigates T1003.005 Cached Domain Credentials
            AC-04 Information Flow Enforcement mitigates T1003.005 Cached Domain Credentials
            AC-05 Separation of Duties mitigates T1003.005 Cached Domain Credentials
            AC-06 Least Privilege mitigates T1003.005 Cached Domain Credentials