1. Home
  2. ATT&CK Techniques
  3. T1003.005 Cached Domain Credentials

T1003.005 Cached Domain Credentials Mappings

Adversaries may attempt to access cached domain credentials used to allow authentication to occur in the event a domain controller is unavailable.(Citation: Microsoft - Cached Creds)

On Windows Vista and newer, the hash format is DCC2 (Domain Cached Credentials version 2) hash, also known as MS-Cache v2 hash.(Citation: PassLib mscache) The number of default cached credentials varies and can be altered per system. This hash does not allow pass-the-hash style attacks, and instead requires Password Cracking to recover the plaintext password.(Citation: ired mscache)

With SYSTEM access, the tools/utilities such as Mimikatz, Reg, and secretsdump.py can be used to extract the cached credentials.

Note: Cached credentials for Windows Vista are derived using PBKDF2.(Citation: PassLib mscache)

View in MITRE ATT&CK®

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name
AC-2 Account Management Protects T1003.005 Cached Domain Credentials
AC-3 Access Enforcement Protects T1003.005 Cached Domain Credentials
AC-4 Information Flow Enforcement Protects T1003.005 Cached Domain Credentials
AC-5 Separation of Duties Protects T1003.005 Cached Domain Credentials
AC-6 Least Privilege Protects T1003.005 Cached Domain Credentials
CA-7 Continuous Monitoring Protects T1003.005 Cached Domain Credentials
CM-2 Baseline Configuration Protects T1003.005 Cached Domain Credentials
CM-5 Access Restrictions for Change Protects T1003.005 Cached Domain Credentials
CM-6 Configuration Settings Protects T1003.005 Cached Domain Credentials
CM-7 Least Functionality Protects T1003.005 Cached Domain Credentials
IA-2 Identification and Authentication (organizational Users) Protects T1003.005 Cached Domain Credentials
IA-4 Identifier Management Protects T1003.005 Cached Domain Credentials
IA-5 Authenticator Management Protects T1003.005 Cached Domain Credentials
SC-28 Protection of Information at Rest Protects T1003.005 Cached Domain Credentials
SC-39 Process Isolation Protects T1003.005 Cached Domain Credentials
SI-3 Malicious Code Protection Protects T1003.005 Cached Domain Credentials
SI-4 System Monitoring Protects T1003.005 Cached Domain Credentials
action.malware.variety.Password dumper Password dumper (extract credential hashes) related-to T1003.005 OS Credential Dumping: Cached Domain Credentials
action.malware.variety.RAM scraper RAM scraper or memory parser (capture data from volatile memory) related-to T1003.005 OS Credential Dumping: Cached Domain Credentials
action.malware.vector.Email link Email via embedded link. Child of 'Email' related-to T1003.005 OS Credential Dumping: Cached Domain Credentials