Adversaries may attempt to access cached domain credentials used to allow authentication to occur in the event a domain controller is unavailable.(Citation: Microsoft - Cached Creds)
On Windows Vista and newer, the hash format is DCC2 (Domain Cached Credentials version 2) hash, also known as MS-Cache v2 hash.(Citation: PassLib mscache) The number of default cached credentials varies and can be altered per system. This hash does not allow pass-the-hash style attacks, and instead requires Password Cracking to recover the plaintext password.(Citation: ired mscache)
With SYSTEM access, the tools/utilities such as Mimikatz, Reg, and secretsdump.py can be used to extract the cached credentials.
Note: Cached credentials for Windows Vista are derived using PBKDF2.(Citation: PassLib mscache)
View in MITRE ATT&CK®Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
---|---|---|---|---|---|
action.malware.variety.Password dumper | Password dumper (extract credential hashes) | related-to | T1003.005 | OS Credential Dumping: Cached Domain Credentials | |
action.malware.variety.RAM scraper | RAM scraper or memory parser (capture data from volatile memory) | related-to | T1003.005 | OS Credential Dumping: Cached Domain Credentials | |
action.malware.vector.Email link | Email via embedded link. Child of 'Email' | related-to | T1003.005 | OS Credential Dumping: Cached Domain Credentials |