[T1003.005 ] OS Credential Dumping: Cached Domain Credentials – Adversaries target cached domain credentials stored on endpoints to recover user passwords when domain controllers are unavailable, enabling lateral movement and persistence. Effective defenses include monitoring for credential-dumping tools, protecting and auditing local credential stores, and limiting cache usage. #CredentialDumping #CachedCredentials
Keypoints
- Cached domain credentials allow logons when a domain controller is unreachable and adversaries target them to obtain plaintext passwords via cracking.
- Windows stores cached credentials as DCC2/MS-Cache v2 hashes on Vista and later, which require password cracking rather than pass-the-hash attacks.
- On Linux, SSSD and Quest/VAS maintain local caches (e.g., /var/lib/sss/db/cache.[domain].ldb and /var/opt/quest/vas/authcache/vas_auth.vdb) that can be dumped with tools like tdbdump.
- Extraction requires elevated privileges (SYSTEM or sudo) and is commonly performed with tools like Mimikatz, Reg, secretsdump.py, or Linikatz on Unix variants.
- Detection relies on monitoring process execution, command-line activity, PowerShell usage, and authentication anomalies tied to compromised valid accounts.
Description:
- Think of cached domain credentials as a spare key hidden under a doormat: convenient for legitimate users when the main door (domain controller) is unreachable, but attractive to intruders who find and duplicate the key to re-enter the house later.
- Adversaries extract cached credential hashes from Windows (DCC2/MS-Cache v2) or from local AD caches on Linux (SSSD/Quest). With elevated privileges they dump these stores, then perform password cracking to recover plaintext passwords, enabling credential reuse, lateral movement, and persistence even when controllers are offline.
Detection:
- Monitor process creation for known dumping tools (mimikatz, secretsdump.py, reg.exe in suspicious contexts, Linikatz) and alert on anomalous parent/child relationships.
- Log and inspect command-line arguments (Sysmon or equivalent) for modules and flags used to target credential stores (Invoke-Mimikatz, /export, dump options) and alert on uncommon usage on workstations or servers.
- Collect and review PowerShell transcription and module logging to detect PowerShell-based dumping (e.g., PowerSploit Invoke-Mimikatz) and enable ModuleLogging and ScriptBlockLogging where supported.
- Monitor privileged account use and sudden authentication spikes or lateral logons following local cache access; correlate with endpoint events to detect suspicious reuse of recovered credentials.
- Audit access to local credential store files: on Linux watch reads to /var/lib/sss/db/* and /var/opt/quest/vas/authcache/*; on Windows monitor registry access patterns and system API calls that read cached credentials.
- Harden and monitor for changes to security settings that affect caching (group policy changes altering cached credentials count) and alert on configuration modifications.
- Reduce false positives by baselining legitimate admin tools and approved maintenance activities; implement allowlists for known administrative scripts and require monitored, authenticated jump hosts for privileged access.
Tactics:
Credential Access
Platforms:
Linux, Windows
Data Sources:
Command: Command Execution
Relationship Citations:
(Citation: Mandiant APT1),(Citation: FireEye APT35 2018),(Citation: GitHub LaZagne Dec 2018),(Citation: ESET Okrum July 2019),(Citation: Unit42 OilRig Playbook 2023),(Citation: GitHub Pupy),(Citation: Symantec Elfin Mar 2019),(Citation: Unit 42 MuddyWater Nov 2017),(Citation: Symantec Leafminer July 2018),(Citation: FireEye APT33 Guardrail),(Citation: Symantec MuddyWater Dec 2018),(Citation: FireEye APT34 Webinar Dec 2017),(Citation: FireEye APT34 July 2019),(Citation: Tilbury Windows Credentials),(Citation: Microsoft Protected Users Security Group)