Skip to content

T1003.005 Cached Domain Credentials

Adversaries may attempt to access cached domain credentials used to allow authentication to occur in the event a domain controller is unavailable.1

On Windows Vista and newer, the hash format is DCC2 (Domain Cached Credentials version 2) hash, also known as MS-Cache v2 hash.2 The number of default cached credentials varies and can be altered per system. This hash does not allow pass-the-hash style attacks, and instead requires Password Cracking to recover the plaintext password.3

With SYSTEM access, the tools/utilities such as Mimikatz, Reg, and secretsdump.py can be used to extract the cached credentials.

Note: Cached credentials for Windows Vista are derived using PBKDF2.2

Item Value
ID T1003.005
Sub-techniques T1003.001, T1003.002, T1003.003, T1003.004, T1003.005, T1003.006, T1003.007, T1003.008
Tactics TA0006
Platforms Windows
Permissions required SYSTEM
Version 1.0
Created 21 February 2020
Last Modified 24 March 2020

Procedure Examples

ID Name Description
G0064 APT33 APT33 has used a variety of publicly available tools like LaZagne to gather credentials.1314
S0119 Cachedump Cachedump can extract cached password hashes from cache entry information.9
S0349 LaZagne LaZagne can perform credential dumping from MSCache to obtain account and password information.8
G0077 Leafminer Leafminer used several tools for retrieving login and password information, including LaZagne.15
G0069 MuddyWater MuddyWater has performed credential dumping with LaZagne.1112
G0049 OilRig OilRig has used credential dumping tools such as LaZagne to steal credentials to accounts logged into the compromised system and to Outlook Web Access.16171819
S0439 Okrum Okrum was seen using modified Quarks PwDump to perform credential dumping.10
S0192 Pupy Pupy can use Lazagne for harvesting credentials.7

Mitigations

ID Mitigation Description
M1015 Active Directory Configuration Consider adding users to the “Protected Users” Active Directory security group. This can help limit the caching of users’ plaintext credentials.6
M1028 Operating System Configuration Consider limiting the number of cached credentials (HKLM\SOFTWARE\Microsoft\Windows NT\Current Version\Winlogon\cachedlogonscountvalue)5
M1027 Password Policies Ensure that local administrator accounts have complex, unique passwords across all systems on the network.
M1026 Privileged Account Management Do not put user or admin domain accounts in the local administrator groups across systems unless they are tightly controlled, as this is often equivalent to having a local administrator account with the same password on all systems. Follow best practices for design and administration of an enterprise network to limit privileged account use across administrative tiers.
M1017 User Training Limit credential overlap across accounts and systems by training users and administrators not to use the same password for multiple accounts.

Detection

ID Data Source Data Component
DS0017 Command Command Execution

References

  1. Microsfot. (2016, August 21). Cached and Stored Credentials Technical Overview. Retrieved February 21, 2020. 

  2. Eli Collins. (2016, November 25). Windows’ Domain Cached Credentials v2. Retrieved February 21, 2020. 

  3. Mantvydas Baranauskas. (2019, November 16). Dumping and Cracking mscash - Cached Domain Credentials. Retrieved February 21, 2020. 

  4. PowerSploit. (n.d.). Retrieved December 4, 2014. 

  5. Chad Tilbury. (2017, August 8). 1Windows Credentials: Attack, Mitigation, Defense. Retrieved February 21, 2020. 

  6. Microsoft. (2016, October 12). Protected Users Security Group. Retrieved May 29, 2020. 

  7. Nicolas Verdier. (n.d.). Retrieved January 29, 2018. 

  8. Zanni, A. (n.d.). The LaZagne Project !!!. Retrieved December 14, 2018. 

  9. Mandiant. (n.d.). APT1 Exposing One of China’s Cyber Espionage Units. Retrieved July 18, 2016. 

  10. Hromcova, Z. (2019, July). OKRUM AND KETRICAN: AN OVERVIEW OF RECENT KE3CHANG GROUP ACTIVITY. Retrieved May 6, 2020. 

  11. Lancaster, T.. (2017, November 14). Muddying the Water: Targeted Attacks in the Middle East. Retrieved March 15, 2018. 

  12. Symantec DeepSight Adversary Intelligence Team. (2018, December 10). Seedworm: Group Compromises Government Agencies, Oil & Gas, NGOs, Telecoms, and IT Firms. Retrieved December 14, 2018. 

  13. Security Response attack Investigation Team. (2019, March 27). Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S.. Retrieved April 10, 2019. 

  14. Ackerman, G., et al. (2018, December 21). OVERRULED: Containing a Potentially Destructive Adversary. Retrieved January 17, 2019. 

  15. Symantec Security Response. (2018, July 25). Leafminer: New Espionage Campaigns Targeting Middle Eastern Regions. Retrieved August 28, 2018. 

  16. Unit 42. (2017, December 15). Unit 42 Playbook Viewer. Retrieved December 20, 2017. 

  17. Davis, S. and Caban, D. (2017, December 19). APT34 - New Targeted Attack in the Middle East. Retrieved December 20, 2017. 

  18. Mandiant. (2018). Mandiant M-Trends 2018. Retrieved July 9, 2018. 

  19. Bromiley, M., et al.. (2019, July 18). Hard Pass: Declining APT34’s Invite to Join Their Professional Network. Retrieved August 26, 2019. 

Back to top