# Cached Domain Credentials With SYSTEM access, an attacker can dump cached credentials with Mimikatz or Secretsdump. Note that DCC hashes take significantly longer to crack than an NT or Net-NTLM hashes. I recommend using a simple password and rule list that has been tailored to your target first. ### Cracking To crack these with Hashcat, the hash needs to be in the following format: ```bash $DCC2$10240#parzival#e4e938d12fe5974dc42a90120bd9c90f ``` After ensuring the hash is formatted appropriately, they can be cracked with the following command: ```bash hashcat -m 2100 $dcc_file $wordlist ``` ### Mitigations The following settings can be configured to remove cached domain credentials from LSA Secrets: ```bash Cached credential set to 0 on servers Cached credential set to 1 on workstations ``` ### References {% embed url="" %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://ttp.parzival.sh/pentesting/infrastructure/active-directory/os-credential-dumping/cached-domain-credentials.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.