T1003.005 Cached Domain Credentials
Adversaries may attempt to access cached domain credentials used to allow authentication to occur in the event a domain controller is unavailable.1
On Windows Vista and newer, the hash format is DCC2 (Domain Cached Credentials version 2) hash, also known as MS-Cache v2 hash.2 The number of default cached credentials varies and can be altered per system. This hash does not allow pass-the-hash style attacks, and instead requires Password Cracking to recover the plaintext password.3
With SYSTEM access, the tools/utilities such as Mimikatz, Reg, and secretsdump.py can be used to extract the cached credentials.
Note: Cached credentials for Windows Vista are derived using PBKDF2.2
Item | Value |
---|---|
ID | T1003.005 |
Sub-techniques | T1003.001, T1003.002, T1003.003, T1003.004, T1003.005, T1003.006, T1003.007, T1003.008 |
Tactics | TA0006 |
Platforms | Windows |
Permissions required | SYSTEM |
Version | 1.0 |
Created | 21 February 2020 |
Last Modified | 24 March 2020 |
Procedure Examples
ID | Name | Description |
---|---|---|
G0064 | APT33 | APT33 has used a variety of publicly available tools like LaZagne to gather credentials.1314 |
S0119 | Cachedump | Cachedump can extract cached password hashes from cache entry information.9 |
S0349 | LaZagne | LaZagne can perform credential dumping from MSCache to obtain account and password information.8 |
G0077 | Leafminer | Leafminer used several tools for retrieving login and password information, including LaZagne.15 |
G0069 | MuddyWater | MuddyWater has performed credential dumping with LaZagne.1112 |
G0049 | OilRig | OilRig has used credential dumping tools such as LaZagne to steal credentials to accounts logged into the compromised system and to Outlook Web Access.16171819 |
S0439 | Okrum | Okrum was seen using modified Quarks PwDump to perform credential dumping.10 |
S0192 | Pupy | Pupy can use Lazagne for harvesting credentials.7 |
Mitigations
ID | Mitigation | Description |
---|---|---|
M1015 | Active Directory Configuration | Consider adding users to the “Protected Users” Active Directory security group. This can help limit the caching of users’ plaintext credentials.6 |
M1028 | Operating System Configuration | Consider limiting the number of cached credentials (HKLM\SOFTWARE\Microsoft\Windows NT\Current Version\Winlogon\cachedlogonscountvalue)5 |
M1027 | Password Policies | Ensure that local administrator accounts have complex, unique passwords across all systems on the network. |
M1026 | Privileged Account Management | Do not put user or admin domain accounts in the local administrator groups across systems unless they are tightly controlled, as this is often equivalent to having a local administrator account with the same password on all systems. Follow best practices for design and administration of an enterprise network to limit privileged account use across administrative tiers. |
M1017 | User Training | Limit credential overlap across accounts and systems by training users and administrators not to use the same password for multiple accounts. |
Detection
ID | Data Source | Data Component |
---|---|---|
DS0017 | Command | Command Execution |
References
-
Microsfot. (2016, August 21). Cached and Stored Credentials Technical Overview. Retrieved February 21, 2020. ↩
-
Eli Collins. (2016, November 25). Windows’ Domain Cached Credentials v2. Retrieved February 21, 2020. ↩↩
-
Mantvydas Baranauskas. (2019, November 16). Dumping and Cracking mscash - Cached Domain Credentials. Retrieved February 21, 2020. ↩
-
Chad Tilbury. (2017, August 8). 1Windows Credentials: Attack, Mitigation, Defense. Retrieved February 21, 2020. ↩
-
Microsoft. (2016, October 12). Protected Users Security Group. Retrieved May 29, 2020. ↩
-
Zanni, A. (n.d.). The LaZagne Project !!!. Retrieved December 14, 2018. ↩
-
Mandiant. (n.d.). APT1 Exposing One of China’s Cyber Espionage Units. Retrieved July 18, 2016. ↩
-
Hromcova, Z. (2019, July). OKRUM AND KETRICAN: AN OVERVIEW OF RECENT KE3CHANG GROUP ACTIVITY. Retrieved May 6, 2020. ↩
-
Lancaster, T.. (2017, November 14). Muddying the Water: Targeted Attacks in the Middle East. Retrieved March 15, 2018. ↩
-
Symantec DeepSight Adversary Intelligence Team. (2018, December 10). Seedworm: Group Compromises Government Agencies, Oil & Gas, NGOs, Telecoms, and IT Firms. Retrieved December 14, 2018. ↩
-
Security Response attack Investigation Team. (2019, March 27). Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S.. Retrieved April 10, 2019. ↩
-
Ackerman, G., et al. (2018, December 21). OVERRULED: Containing a Potentially Destructive Adversary. Retrieved January 17, 2019. ↩
-
Symantec Security Response. (2018, July 25). Leafminer: New Espionage Campaigns Targeting Middle Eastern Regions. Retrieved August 28, 2018. ↩
-
Unit 42. (2017, December 15). Unit 42 Playbook Viewer. Retrieved December 20, 2017. ↩
-
Davis, S. and Caban, D. (2017, December 19). APT34 - New Targeted Attack in the Middle East. Retrieved December 20, 2017. ↩
-
Mandiant. (2018). Mandiant M-Trends 2018. Retrieved July 9, 2018. ↩
-
Bromiley, M., et al.. (2019, July 18). Hard Pass: Declining APT34’s Invite to Join Their Professional Network. Retrieved August 26, 2019. ↩