Skip to content

DET0513 Detection of Cached Domain Credential Dumping via Local Hash Cache Access

Item Value
ID DET0513
Version 1.0
Created 21 October 2025
Last Modified 21 October 2025

Technique Detected: T1003.005 (Cached Domain Credentials)

Analytics

Windows

AN1417

Detects adversary behavior accessing Windows cached domain credential files using tools like Mimikatz, reg.exe, or PowerShell, often combined with registry exports or LSASS memory scraping.

Log Sources
Data Component Name Channel
File Access (DC0055) WinEventLog:Security EventCode=4663, 4670, 4656
Process Creation (DC0032) WinEventLog:Sysmon EventCode=1
Process Access (DC0035) WinEventLog:Sysmon EventCode=10
Mutable Elements
Field Description
TargetFilename Location of cached credential files may vary with OS version or custom registry hive exports.
CommandLine Patterns for reg save, secretsdump, or PowerShell dumping tools may be tuned to org-specific tooling.
TimeWindow Temporal correlation window between process execution and registry/file access.

Linux

AN1418

Detects access to SSSD or Quest VAS cached credential databases using tdbdump or other file access patterns, requiring sudo/root access.

Log Sources
Data Component Name Channel
File Access (DC0055) auditd:SYSCALL file
Process Creation (DC0032) auditd:EXECVE EXECVE
Process Access (DC0035) linux:osquery process_events
Mutable Elements
Field Description
filepath SSSD and Quest cache paths differ by deployment and OS variant.
CommandLine Tunable to capture specific tools (e.g., tdbdump, cat) or scripts accessing cache files.
TimeWindow Time between elevation and file access can be adjusted to account for legitimate system behavior.