Skip to content
Atomic Red Team
atomics
T1003.005

T1003.005 - OS Credential Dumping: Cached Domain Credentials

Description from ATT&CK (opens in a new tab)

Adversaries may attempt to access cached domain credentials used to allow authentication to occur in the event a domain controller is unavailable.(Citation: Microsoft - Cached Creds)

On Windows Vista and newer, the hash format is DCC2 (Domain Cached Credentials version 2) hash, also known as MS-Cache v2 hash.(Citation: PassLib mscache) The number of default cached credentials varies and can be altered per system. This hash does not allow pass-the-hash style attacks, and instead requires Password Cracking (opens in a new tab) to recover the plaintext password.(Citation: ired mscache)

On Linux systems, Active Directory credentials can be accessed through caches maintained by software like System Security Services Daemon (SSSD) or Quest Authentication Services (formerly VAS). Cached credential hashes are typically located at /var/lib/sss/db/cache.[domain].ldb for SSSD or /var/opt/quest/vas/authcache/vas_auth.vdb for Quest. Adversaries can use utilities, such as tdbdump, on these database files to dump the cached hashes and use Password Cracking (opens in a new tab) to obtain the plaintext password.(Citation: Brining MimiKatz to Unix)

With SYSTEM or sudo access, the tools/utilities such as Mimikatz (opens in a new tab), Reg (opens in a new tab), and secretsdump.py for Windows or Linikatz for Linux can be used to extract the cached credentials.(Citation: Brining MimiKatz to Unix)

Note: Cached credentials for Windows Vista are derived using PBKDF2.(Citation: PassLib mscache)

Atomic Tests


Atomic Test #1 - Cached Credential Dump via Cmdkey

List credentials currently stored on the host via the built-in Windows utility cmdkey.exe Credentials listed with Cmdkey only pertain to the current user Passwords will not be displayed once they are stored https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/cmdkey (opens in a new tab) https://www.peew.pw/blog/2017/11/26/exploring-cmdkey-an-edge-case-for-privilege-escalation (opens in a new tab)

Supported Platforms: Windows

auto_generated_guid: 56506854-89d6-46a3-9804-b7fde90791f9

Attack Commands: Run with command_prompt!

cmdkey /list

T1003.004T1003.006