Cached Domain Credentials

MITRE ATT&CK, Credential Access, Sub-technique T1003.005

With SYSTEM access, an attacker can dump cached credentials with Mimikatz or Secretsdump. Note that DCC hashes take significantly longer to crack than an NT or Net-NTLM hashes. I recommend using a simple password and rule list that has been tailored to your target first.


To crack these with Hashcat, the hash needs to be in the following format:


After ensuring the hash is formatted appropriately, they can be cracked with the following command:

hashcat -m 2100 $dcc_file $wordlist


The following settings can be configured to remove cached domain credentials from LSA Secrets:

Cached credential set to 0 on servers
Cached credential set to 1 on workstations


Last updated