Cached Domain Credentials
MITRE ATT&CK, Credential Access, Sub-technique T1003.005
With SYSTEM access, an attacker can dump cached credentials with Mimikatz or Secretsdump. Note that DCC hashes take significantly longer to crack than an NT or Net-NTLM hashes. I recommend using a simple password and rule list that has been tailored to your target first.
Cracking
To crack these with Hashcat, the hash needs to be in the following format:
After ensuring the hash is formatted appropriately, they can be cracked with the following command:
Mitigations
The following settings can be configured to remove cached domain credentials from LSA Secrets:
References
Last updated