T1003.005 Cached Domain Credentials
Adversaries may attempt to access cached domain credentials used to allow authentication to occur in the event a domain controller is unavailable.
On Windows Vista and newer, the hash format is DCC2 (Domain Cached Credentials version 2) hash, also known as MS-Cache v2 hash. The number of default cached credentials varies and can be altered per system. This hash does not allow pass-the-hash style attacks, and instead requires Password Cracking to recover the plaintext password.
With SYSTEM access, the tools/utilities such as Mimikatz, Reg, and secretsdump.py can be used to extract the cached credentials.
Note: Cached credentials for Windows Vista are derived using PBKDF2.
||Active Directory Configuration
||Consider adding users to the “Protected Users” Active Directory security group. This can help limit the caching of users’ plaintext credentials.
||Operating System Configuration
||Consider limiting the number of cached credentials (HKLM\SOFTWARE\Microsoft\Windows NT\Current Version\Winlogon\cachedlogonscountvalue)
||Ensure that local administrator accounts have complex, unique passwords across all systems on the network.
||Privileged Account Management
||Do not put user or admin domain accounts in the local administrator groups across systems unless they are tightly controlled, as this is often equivalent to having a local administrator account with the same password on all systems. Follow best practices for design and administration of an enterprise network to limit privileged account use across administrative tiers.
||Limit credential overlap across accounts and systems by training users and administrators not to use the same password for multiple accounts.