T1003.005 - Cached Domain Credentials#
Adversaries may attempt to access cached domain credentials used to allow authentication to occur in the event a domain controller is unavailable.(Citation: Microsoft - Cached Creds)
On Windows Vista and newer, the hash format is DCC2 (Domain Cached Credentials version 2) hash, also known as MS-Cache v2 hash.(Citation: PassLib mscache) The number of default cached credentials varies and can be altered per system. This hash does not allow pass-the-hash style attacks, and instead requires Password Cracking to recover the plaintext password.(Citation: ired mscache)
With SYSTEM access, the tools/utilities such as Mimikatz, Reg, and secretsdump.py can be used to extract the cached credentials.
Note: Cached credentials for Windows Vista are derived using PBKDF2.(Citation: PassLib mscache)
Atomic Tests#
Atomic Test #1 - Cached Credential Dump via CmdkeyList credentials currently stored on the host via the built-in Windows utility cmdkey.exe#
Credentials listed with Cmdkey only pertain to the current user
Passwords will not be displayed once they are stored
https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/cmdkey
https://www.peew.pw/blog/2017/11/26/exploring-cmdkey-an-edge-case-for-privilege-escalation
Supported Platforms: windows
Elevation Required (e.g. root or admin)#### Attack Commands: Run with command_prompt
cmdkey /list
Invoke-AtomicTest T1003.005 -TestNumbers 1
Detection#
Monitor processes and command-line arguments for program execution that may be indicative of credential dumping. Remote access tools may contain built-in features or incorporate existing tools like Mimikatz. PowerShell scripts also exist that contain credential dumping functionality, such as PowerSploit’s Invoke-Mimikatz module,(Citation: Powersploit) which may require additional logging features to be configured in the operating system to collect necessary information for analysis.
Detection of compromised Valid Accounts in-use by adversaries may help as well.