Description
Adversaries may attempt to access cached domain credentials used to allow authentication to occur in the event a domain controller is unavailable.(Citation: Microsoft - Cached Creds)
On Windows Vista and newer, the hash format is DCC2 (Domain Cached Credentials version 2) hash, also known as MS-Cache v2 hash.(Citation: PassLib mscache) The number of default cached credentials varies and can be altered per system. This hash does not allow pass-the-hash style attacks, and instead requires Password Cracking to recover the plaintext password.(Citation: ired mscache)
On Linux systems, Active Directory credentials can be accessed through caches maintained by software like System Security Services Daemon (SSSD) or Quest Authentication Services (formerly VAS). Cached credential hashes are typically located at /var/lib/sss/db/cache.[domain].ldb for SSSD or /var/opt/quest/vas/authcache/vas_auth.vdb for Quest. Adversaries can use utilities, such as tdbdump, on these database files to dump the cached hashes and use Password Cracking to obtain the plaintext password.(Citation: Brining MimiKatz to Unix)
With SYSTEM or sudo access, the tools/utilities such as Mimikatz, Reg, and secretsdump.py for Windows or Linikatz for Linux can be used to extract the cached credentials.(Citation: Brining MimiKatz to Unix)
Note: Cached credentials for Windows Vista are derived using PBKDF2.(Citation: PassLib mscache)
Mimikatz Tutorial
Read our in-depth pentesting guide related to this technique
Platforms
Mitigations (5)
Active Directory ConfigurationM1015
Consider adding users to the "Protected Users" Active Directory security group. This can help limit the caching of users' plaintext credentials.(Citation: Microsoft Protected Users Security Group)
User TrainingM1017
Limit credential overlap across accounts and systems by training users and administrators not to use the same password for multiple accounts.
Password PoliciesM1027
Ensure that local administrator accounts have complex, unique passwords across all systems on the network.
Operating System ConfigurationM1028
Consider limiting the number of cached credentials (HKLM\SOFTWARE\Microsoft\Windows NT\Current Version\Winlogon\cachedlogonscountvalue)(Citation: Tilbury Windows Credentials)
Privileged Account ManagementM1026
Do not put user or admin domain accounts in the local administrator groups across systems unless they are tightly controlled, as this is often equivalent to having a local administrator account with the same password on all systems. Follow best practices for design and administration of an enterprise network to limit privileged account use across administrative tiers.
Threat Groups (4)
| ID | Group | Context |
|---|---|---|
| G0064 | APT33 | [APT33](https://attack.mitre.org/groups/G0064) has used a variety of publicly available tools like [LaZagne](https://attack.mitre.org/software/S0349) ... |
| G0077 | Leafminer | [Leafminer](https://attack.mitre.org/groups/G0077) used several tools for retrieving login and password information, including LaZagne.(Citation: Syma... |
| G0049 | OilRig | [OilRig](https://attack.mitre.org/groups/G0049) has used credential dumping tools such as [LaZagne](https://attack.mitre.org/software/S0349) to steal ... |
| G0069 | MuddyWater | [MuddyWater](https://attack.mitre.org/groups/G0069) has performed credential dumping with [LaZagne](https://attack.mitre.org/software/S0349).(Citation... |
Associated Software (4)
| ID | Name | Type | Context |
|---|---|---|---|
| S0439 | Okrum | Malware | [Okrum](https://attack.mitre.org/software/S0439) was seen using modified Quarks PwDump to perform credential dumping.(Citation: ESET Okrum July 2019) |
| S0119 | Cachedump | Tool | [Cachedump](https://attack.mitre.org/software/S0119) can extract cached password hashes from cache entry information.(Citation: Mandiant APT1) |
| S0349 | LaZagne | Tool | [LaZagne](https://attack.mitre.org/software/S0349) can perform credential dumping from MSCache to obtain account and password information.(Citation: G... |
| S0192 | Pupy | Tool | [Pupy](https://attack.mitre.org/software/S0192) can use Lazagne for harvesting credentials.(Citation: GitHub Pupy) |
Related CWE Weaknesses
References
- Eli Collins. (2016, November 25). Windows' Domain Cached Credentials v2. Retrieved February 21, 2020.
- Mantvydas Baranauskas. (2019, November 16). Dumping and Cracking mscash - Cached Domain Credentials. Retrieved February 21, 2020.
- Microsoft. (2016, August 21). Cached and Stored Credentials Technical Overview. Retrieved February 21, 2020.
- PowerSploit. (n.d.). Retrieved December 4, 2014.
- Tim Wadhwa-Brown. (2018, November). Where 2 worlds collide Bringing Mimikatz et al to UNIX. Retrieved October 13, 2021.
Frequently Asked Questions
What is T1003.005 (Cached Domain Credentials)?
T1003.005 is a MITRE ATT&CK technique named 'Cached Domain Credentials'. It belongs to the Credential Access tactic(s). Adversaries may attempt to access cached domain credentials used to allow authentication to occur in the event a domain controller is unavailable.(Citation: Microsoft - Cached Creds) On Windows Vista...
How can T1003.005 be detected?
Detection of T1003.005 (Cached Domain Credentials) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1003.005?
There are 5 documented mitigations for T1003.005. Key mitigations include: Active Directory Configuration, User Training, Password Policies, Operating System Configuration, Privileged Account Management.
Which threat groups use T1003.005?
Known threat groups using T1003.005 include: APT33, Leafminer, OilRig, MuddyWater.