EXPLORE

← Back to Explore

T1003.005

Cached Domain Credentials

Adversaries may attempt to access cached domain credentials used to allow authentication to occur in the event a domain controller is unavailable.(Citation: Microsoft - Cached Creds) On Windows Vista and newer, the hash format is DCC2 (Domain Cached Credentials version 2) hash, also known as MS-Cache v2 hash.(Citation: PassLib mscache) The number of default cached credentials varies and can be altered per system. This hash does not allow pass-the-hash style attacks, and instead requires [Passwo...

WindowsLinux

11

Detections

3

Sources

4

Threat Actors

BY SOURCE

8sigma2elastic1splunk_escu

PROCEDURES (6)

Process Creation Monitoring3 detections

Auto-extracted: 3 detections for process creation monitoring

Registry3 detections

Auto-extracted: 3 detections for registry

Service2 detections

Auto-extracted: 2 detections for service

Dump1 detections

Auto-extracted: 1 detections for dump

Registry1 detections

Auto-extracted: 1 detections for registry

Dump1 detections

Auto-extracted: 1 detections for dump

THREAT ACTORS (4)

APT33 Leafminer MuddyWater OilRig

DETECTIONS (11)

Cred Dump Tools Dropped Files

Credential Dumping Tools Service Execution - Security

Credential Dumping Tools Service Execution - System

Dumping of Sensitive Hives Via Reg.EXE

HackTool - Credential Dumping Tools Named Pipe Created

HackTool - Mimikatz Execution

New Generic Credentials Added Via Cmdkey.EXE

Potential Reconnaissance For Cached Credentials Via Cmdkey.EXE

PowerShell Invoke-NinjaCopy script

Sensitive Registry Hive Access via RegBack

Windows Cached Domain Credentials Reg Query