Cached Domain Credentials

Information

• Name: Cached Domain Credentials

• ID: T1003.005

• Tactics:

• Technique:

Introduction

Cached Domain Credentials (T1003.005) is a sub-technique of Credential Dumping (T1003) within the MITRE ATT&CK framework. This sub-technique involves attackers extracting cached credentials stored locally on Windows systems. Cached domain credentials enable users to authenticate to a domain when domain controllers are unavailable. Attackers exploit this mechanism to retrieve and reuse these credentials, facilitating lateral movement, privilege escalation, and persistence within compromised environments.

Deep Dive Into Technique

Windows operating systems cache domain credentials locally for convenience, allowing users to log into their systems even when the domain controller is unreachable. By default, Windows caches the last 10 domain logon credentials, storing them securely in the registry under the following key:

• HKEY_LOCAL_MACHINE\Security\Cache

These credentials are hashed and stored in the form of cached domain credential hashes, commonly known as "MSCache" or "Domain Cached Credentials (DCC)" hashes. The hashing algorithm used is a salted MD4-based hash (MSCacheV1) or salted SHA1-based hash (MSCacheV2), depending on the Windows version. Attackers must have administrative or SYSTEM-level privileges to access and extract these cached credentials.

Common tools and methods used by attackers to extract cached domain credentials include:

• Mimikatz (module: lsadump::cache)

• Metasploit Framework (post/windows/gather/cachedump)

• Windows Credential Editor (WCE)

• Pwdump variants (e.g., cachedump.py)

• Custom PowerShell scripts and frameworks (e.g., PowerSploit)

Once extracted, attackers can attempt offline password cracking using brute-force or dictionary attacks to recover the plaintext passwords. Successfully cracked credentials can then be leveraged for lateral movement, privilege escalation, and persistence.

When this Technique is Usually Used

Attackers typically use cached domain credential extraction in various scenarios and attack stages, including:

• Initial Access and Reconnaissance:

  • After initial compromise, attackers extract cached credentials to identify valid user accounts and passwords, aiding further reconnaissance and enumeration activities.

• Privilege Escalation:

  • Attackers leverage cached credentials of privileged users (e.g., administrators) to escalate privileges or gain higher-level access within the network.

• Lateral Movement:

  • Attackers reuse cracked credentials to authenticate to other systems and move laterally within the compromised domain environment.

• Persistence and Credential Harvesting:

  • Attackers periodically extract cached credentials to maintain persistent access and continuously harvest new, valid credentials.

• Situations with Limited Network Connectivity:

  • Attackers exploit cached credentials when domain controllers are unreachable or isolated, making detection and remediation more challenging.

How this Technique is Usually Detected

Detection of cached domain credential extraction involves monitoring and analyzing various system events, artifacts, and indicators of compromise (IoCs):

• System Event Logs:

  • Monitor Windows Security event logs (Event ID 4624, 4625) for unusual logon attempts, especially local logins using domain accounts without corresponding domain controller authentication events.

  • Identify suspicious logon patterns, such as multiple failed logins followed by successful local authentication.

• Registry Monitoring:

  • Monitor registry access to the HKEY_LOCAL_MACHINE\Security\Cache key, especially by unauthorized or unknown processes.

  • Implement registry auditing to track and alert on unauthorized attempts to access or modify cached credential registry keys.

• Process Monitoring and Endpoint Detection & Response (EDR) Tools:

  • Deploy endpoint monitoring solutions (e.g., Microsoft Defender for Endpoint, CrowdStrike Falcon, Carbon Black) to detect known credential dumping tools (Mimikatz, WCE, pwdump).

  • Implement behavioral analysis to identify suspicious process executions, memory injections, or credential extraction activities.

• File and Memory Analysis:

  • Conduct periodic memory scans and forensic analysis to detect in-memory credential extraction activities.

  • Analyze system artifacts and memory dumps for indicators of credential dumping techniques.

• Network Monitoring and SIEM Integration:

  • Correlate endpoint logs with network traffic analysis to detect anomalous authentication attempts or lateral movement activities.

  • Integrate alerts and events into Security Information and Event Management (SIEM) solutions for centralized detection and response.

Specific Indicators of Compromise (IoCs):

• Presence or execution of known credential extraction tools (Mimikatz, cachedump scripts, WCE binaries).

• Suspicious access or modifications to the cached credential registry keys.

• Unusual authentication patterns, such as local logins with domain accounts without domain controller interaction.

• Presence of unexpected memory dumps or registry backups containing cached password hashes.

Why it is Important to Detect This Technique

Detecting cached domain credential extraction is critical to safeguarding organizational assets and preventing further compromise. Failure to detect and mitigate this technique can lead to severe consequences, including:

• Privilege Escalation:

  • Attackers may recover privileged account credentials, enabling them to escalate privileges and control critical systems and infrastructure.

• Lateral Movement:

  • Compromised credentials facilitate attackers' lateral movement within the network, increasing the attack surface and complicating containment and remediation efforts.

• Persistence and Long-term Compromise:

  • Attackers leveraging cached credentials can maintain persistent access, remaining undetected for extended periods and causing prolonged damage.

• Data Theft and Exfiltration:

  • Compromised credentials can enable attackers to access sensitive data, intellectual property, or confidential information, leading to financial and reputational damage.

• Operational Disruption:

  • Attackers may leverage extracted credentials to disrupt business operations, degrade system performance, or cause denial-of-service conditions.

Early detection and response to cached domain credential extraction activities can significantly reduce attacker dwell time, minimize lateral movement opportunities, and mitigate overall damage and impact to the organization.

Examples

Real-world examples and scenarios involving cached domain credential extraction include:

• APT29 (Cozy Bear):

  • APT29 has been observed using Mimikatz and other credential dumping tools to extract cached domain credentials during targeted intrusions. These credentials were subsequently leveraged for lateral movement and persistence within compromised environments.

• FIN7 Cybercrime Group:

  • The FIN7 threat actor frequently employs credential dumping techniques, including cached credential extraction, to escalate privileges and move laterally within victim networks, enabling theft of financial data and sensitive information.

• Ryuk Ransomware Attacks:

  • Ryuk ransomware operators have utilized credential dumping tools like Mimikatz to extract cached domain credentials, facilitating lateral movement and deployment of ransomware payloads across multiple systems within victim organizations.

• Emotet and TrickBot Malware Campaigns:

  • Emotet and TrickBot malware infections often include modules designed to extract cached credentials. Extracted credentials are then passed to secondary payloads, such as Ryuk ransomware or other malware families, for lateral propagation and further exploitation.

Tools commonly observed in real-world attacks:

• Mimikatz:

  • Widely used credential dumping tool with built-in support for cached credential extraction (lsadump::cache).

• Metasploit Framework:

  • Provides modules (post/windows/gather/cachedump) for automated extraction of cached domain credentials.

• Windows Credential Editor (WCE):

  • Standalone tool for extracting cached credentials and performing offline password cracking.

• Cachedump.py and Custom Scripts:

  • Python-based or PowerShell-based scripts specifically designed to extract cached domain credential hashes for offline cracking.

Impacts observed in real-world attacks involving cached credential extraction include:

• Large-scale data breaches and theft of sensitive information.

• Significant financial losses due to ransomware attacks and operational disruption.

• Prolonged attacker persistence and increased remediation complexity.

• Damage to organizational reputation and customer trust.

Understanding these real-world examples and attack scenarios highlights the importance of proactively detecting and mitigating cached domain credential extraction within enterprise environments.