Detect Cached Domain Credentials in Microsoft Sentinel
Adversaries access cached domain credentials (DCC2/MS-Cache v2) stored locally for offline authentication when domain controllers are unavailable. On Windows, these are stored as MSCACHE v2 (PBKDF2-derived) hashes in HKLM\SECURITY\Cache and cannot be used for pass-the-hash but can be cracked offline. Linux systems using SSSD store cached credentials at /var/lib/sss/db/cache.[domain].ldb. Tools include Mimikatz (lsadump::cache), LaZagne, Cachedump, and Quarks PwDump. Used by Okrum, APT33, OilRig, Leafminer, MuddyWater.
MITRE ATT&CK
- Tactic
- Credential Access
- Technique
- T1003 OS Credential Dumping
- Sub-technique
- T1003.005 Cached Domain Credentials
- Canonical reference
- https://attack.mitre.org/techniques/T1003/005/
KQL Detection Query
let CachedCredDump = DeviceProcessEvents
| where Timestamp > ago(24h)
| where ProcessCommandLine has_any (
"lsadump::cache", "cachedump", "ms-cache", "mscache",
"cas_dump", "cachedump"
)
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine;
let LSACacheRegistry = DeviceRegistryEvents
| where Timestamp > ago(24h)
| where RegistryKey has @"SECURITY\Cache"
or RegistryKey has @"SECURITY\Policy\Secrets\NL$"
| where InitiatingProcessFileName !in~ ("lsass.exe", "svchost.exe", "services.exe")
| project Timestamp, DeviceName, AccountName, ActionType, RegistryKey,
InitiatingProcessFileName, InitiatingProcessCommandLine;
let LaZagneCached = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ ("lazagne.exe", "cachedump.exe", "fgdump.exe", "gsecdump.exe")
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine;
let LinuxSSSDAccess = DeviceFileEvents
| where Timestamp > ago(24h)
| where FolderPath has "/var/lib/sss/db/"
or FolderPath has "/var/opt/quest/vas/authcache/"
| where ActionType in ("FileAccessed", "FileCopied")
| where InitiatingProcessFileName !in~ ("sssd", "sssd_nss", "sssd_pam")
| project Timestamp, DeviceName, FolderPath, FileName, ActionType, InitiatingProcessFileName;
union CachedCredDump, LSACacheRegistry, LaZagneCached, LinuxSSSDAccess
| sort by Timestamp descDetects cached domain credential extraction across Windows (Mimikatz lsadump::cache, registry access to SECURITY\Cache, known tools) and Linux (SSSD cache file access). Covers both in-memory and registry-based Windows approaches, plus Linux SSSD/Quest authentication cache files.
Data Sources
Required Tables
False Positives & Tuning
- Security auditing tools inventorying cached credentials as part of authorized security assessments
- Incident response tooling that reads SECURITY\Cache for forensic purposes during authorized investigations
- Enterprise password auditing solutions scanning cached credential strength
- Backup agents with SYSTEM privileges reading SECURITY hive including Cache key
Other platforms for T1003.005
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Mimikatz Cached Domain Credentials Dump
Expected signal: Sysmon Event ID 1: Process Create for mimikatz.exe with 'lsadump::cache' in CommandLine. Sysmon Event ID 12/13: Registry access to HKLM\SECURITY\Cache by mimikatz.exe. Security Event ID 4688 for mimikatz.exe.
- Test 2Check Cached Credential Count via Registry
Expected signal: Sysmon Event ID 12: Registry Key Opened for HKLM\SECURITY\Cache (if Sysmon is configured to log registry reads). Security Event ID 4656/4663 if registry auditing is enabled. Process Create for reg.exe.
- Test 3Linux SSSD Cache Access Simulation
Expected signal: Linux auditd events for file access on /var/lib/sss/db/ by non-sssd processes. Syslog entries for file access audit events. Process creation events for ls, file, and stat commands.
References (6)
- https://attack.mitre.org/techniques/T1003/005/
- https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh994565
- https://ired.team/offensive-security/credential-access-and-credential-dumping/dumping-and-cracking-mscash-cached-domain-credentials
- https://passlib.readthedocs.io/en/stable/lib/passlib.hash.msdcc2.html
- https://labs.portcullis.co.uk/download/eu-18-Wadhwa-Brown-Where-2-worlds-collide-Bringing-Mimikatz-et-al-to-UNIX.pdf
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.005/T1003.005.md
Unlock Pro Content
Get the full detection package for T1003.005 including response playbook, investigation guide, and atomic red team tests.