MITRE ATT&CK Technique
Description
Adversaries may attempt to access cached domain credentials used to allow authentication to occur in the event a domain controller is unavailable.(Citation: Microsoft - Cached Creds) On Windows Vista and newer, the hash format is DCC2 (Domain Cached Credentials version 2) hash, also known as MS-Cache v2 hash.(Citation: PassLib mscache) The number of default cached credentials varies and can be altered per system. This hash does not allow pass-the-hash style attacks, and instead requires [Password Cracking](https://attack.mitre.org/techniques/T1110/002) to recover the plaintext password.(Citation: ired mscache) On Linux systems, Active Directory credentials can be accessed through caches maintained by software like System Security Services Daemon (SSSD) or Quest Authentication Services (formerly VAS). Cached credential hashes are typically located at `/var/lib/sss/db/cache.[domain].ldb` for SSSD or `/var/opt/quest/vas/authcache/vas_auth.vdb` for Quest. Adversaries can use utilities, such as `tdbdump`, on these database files to dump the cached hashes and use [Password Cracking](https://attack.mitre.org/techniques/T1110/002) to obtain the plaintext password.(Citation: Brining MimiKatz to Unix) With SYSTEM or sudo access, the tools/utilities such as [Mimikatz](https://attack.mitre.org/software/S0002), [Reg](https://attack.mitre.org/software/S0075), and secretsdump.py for Windows or Linikatz for Linux can be used to extract the cached credentials.(Citation: Brining MimiKatz to Unix) Note: Cached credentials for Windows Vista are derived using PBKDF2.(Citation: PassLib mscache)
Supported Platforms
Created
April 29, 2026
Last Updated
April 29, 2026
STIX Data
{'created': '2020-02-21T15:42:25.991Z',
'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'description': 'Adversaries may attempt to access cached domain credentials '
'used to allow authentication to occur in the event a domain '
'controller is unavailable.(Citation: Microsoft - Cached '
'Creds)\n'
'\n'
'On Windows Vista and newer, the hash format is DCC2 (Domain '
'Cached Credentials version 2) hash, also known as MS-Cache v2 '
'hash.(Citation: PassLib mscache) The number of default cached '
'credentials varies and can be altered per system. This hash '
'does not allow pass-the-hash style attacks, and instead '
'requires [Password '
'Cracking](https://attack.mitre.org/techniques/T1110/002) to '
'recover the plaintext password.(Citation: ired mscache)\n'
'\n'
'On Linux systems, Active Directory credentials can be '
'accessed through caches maintained by software like System '
'Security Services Daemon (SSSD) or Quest Authentication '
'Services (formerly VAS). Cached credential hashes are '
'typically located at `/var/lib/sss/db/cache.[domain].ldb` for '
'SSSD or `/var/opt/quest/vas/authcache/vas_auth.vdb` for '
'Quest. Adversaries can use utilities, such as `tdbdump`, on '
'these database files to dump the cached hashes and use '
'[Password '
'Cracking](https://attack.mitre.org/techniques/T1110/002) to '
'obtain the plaintext password.(Citation: Brining MimiKatz to '
'Unix) \n'
'\n'
'With SYSTEM or sudo access, the tools/utilities such as '
'[Mimikatz](https://attack.mitre.org/software/S0002), '
'[Reg](https://attack.mitre.org/software/S0075), and '
'secretsdump.py for Windows or Linikatz for Linux can be used '
'to extract the cached credentials.(Citation: Brining MimiKatz '
'to Unix)\n'
'\n'
'Note: Cached credentials for Windows Vista are derived using '
'PBKDF2.(Citation: PassLib mscache)',
'external_references': [{'external_id': 'T1003.005',
'source_name': 'mitre-attack',
'url': 'https://attack.mitre.org/techniques/T1003/005'},
{'description': 'Eli Collins. (2016, November 25). '
"Windows' Domain Cached Credentials "
'v2. Retrieved February 21, 2020.',
'source_name': 'PassLib mscache',
'url': 'https://passlib.readthedocs.io/en/stable/lib/passlib.hash.msdcc2.html'},
{'description': 'Mantvydas Baranauskas. (2019, '
'November 16). Dumping and Cracking '
'mscash - Cached Domain Credentials. '
'Retrieved February 21, 2020.',
'source_name': 'ired mscache',
'url': 'https://ired.team/offensive-security/credential-access-and-credential-dumping/dumping-and-cracking-mscash-cached-domain-credentials'},
{'description': 'Microsoft. (2016, August 21). Cached '
'and Stored Credentials Technical '
'Overview. Retrieved February 21, '
'2020.',
'source_name': 'Microsoft - Cached Creds',
'url': 'https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh994565(v%3Dws.11)'},
{'description': 'PowerSploit. (n.d.). Retrieved '
'December 4, 2014.',
'source_name': 'Powersploit',
'url': 'https://github.com/mattifestation/PowerSploit'},
{'description': 'Tim Wadhwa-Brown. (2018, November). '
'Where 2 worlds collide Bringing '
'Mimikatz et al to UNIX. Retrieved '
'October 13, 2021.',
'source_name': 'Brining MimiKatz to Unix',
'url': 'https://labs.portcullis.co.uk/download/eu-18-Wadhwa-Brown-Where-2-worlds-collide-Bringing-Mimikatz-et-al-to-UNIX.pdf'}],
'id': 'attack-pattern--6add2ab5-2711-4e9d-87c8-7a0be8531530',
'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
'phase_name': 'credential-access'}],
'modified': '2025-10-24T17:48:54.919Z',
'name': 'Cached Domain Credentials',
'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
'revoked': False,
'spec_version': '2.1',
'type': 'attack-pattern',
'x_mitre_attack_spec_version': '3.2.0',
'x_mitre_contributors': ['Ed Williams, Trustwave, SpiderLabs',
'Tim (Wadhwa-)Brown',
'Yves Yonan'],
'x_mitre_deprecated': False,
'x_mitre_detection': '',
'x_mitre_domains': ['enterprise-attack'],
'x_mitre_is_subtechnique': True,
'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'x_mitre_platforms': ['Windows', 'Linux'],
'x_mitre_version': '1.1'}