Cached Domain Credentials

MITRE ATT&CK, Credential Access, Sub-technique T1003.005

With SYSTEM access, an attacker can dump cached credentials with Mimikatz or Secretsdump. Note that DCC hashes take significantly longer to crack than an NT or Net-NTLM hashes. I recommend using a simple password and rule list that has been tailored to your target first.

Cracking

To crack these with Hashcat, the hash needs to be in the following format:

$DCC2$10240#parzival#e4e938d12fe5974dc42a90120bd9c90f

After ensuring the hash is formatted appropriately, they can be cracked with the following command:

hashcat -m 2100 $dcc_file $wordlist

Mitigations

The following settings can be configured to remove cached domain credentials from LSA Secrets:

Cached credential set to 0 on servers
Cached credential set to 1 on workstations

References

Dumping and Cracking mscash - Cached Domain CredentialsRed Teaming Experiments

PreviousCredential Dumping NextData Protection API (DPAPI)

Last updated 1 year ago