T1003.005 Sumo Logic CSE · Sumo

Detect Cached Domain Credentials in Sumo Logic CSE

Adversaries access cached domain credentials (DCC2/MS-Cache v2) stored locally for offline authentication when domain controllers are unavailable. On Windows, these are stored as MSCACHE v2 (PBKDF2-derived) hashes in HKLM\SECURITY\Cache and cannot be used for pass-the-hash but can be cracked offline. Linux systems using SSSD store cached credentials at /var/lib/sss/db/cache.[domain].ldb. Tools include Mimikatz (lsadump::cache), LaZagne, Cachedump, and Quarks PwDump. Used by Okrum, APT33, OilRig, Leafminer, MuddyWater.

MITRE ATT&CK

Tactic
Credential Access
Technique
T1003 OS Credential Dumping
Sub-technique
T1003.005 Cached Domain Credentials
Canonical reference
https://attack.mitre.org/techniques/T1003/005/

Sumo Detection Query

Sumo Logic CSE (Sumo)
sql 
(_sourceCategory="windows/sysmon" OR _sourceCategory="os/windows/sysmon")
| parse xml field=_raw "*" as xml_data nodrop
| parse field=_raw "<EventID>*</EventID>" as event_id nodrop
| parse field=_raw "<Data Name='Image'>*</Data>" as process_image nodrop
| parse field=_raw "<Data Name='CommandLine'>*</Data>" as command_line nodrop
| parse field=_raw "<Data Name='TargetObject'>*</Data>" as target_object nodrop
| parse field=_raw "<Data Name='TargetFilename'>*</Data>" as target_filename nodrop
| parse field=_raw "<Data Name='User'>*</Data>" as user nodrop
| parse field=_raw "<Data Name='Computer'>*</Data>" as computer nodrop
| where (
    (
      event_id = "1"
      and (
        matches(toLowerCase(command_line), ".*lsadump::cache.*")
        or matches(toLowerCase(command_line), ".*cachedump.*")
        or matches(toLowerCase(command_line), ".*mscache.*")
        or matches(toLowerCase(command_line), ".*ms-cache.*")
        or matches(toLowerCase(process_image), ".*(lazagne|cachedump|fgdump|gsecdump)\.exe")
      )
    )
    or (
      event_id in ("12", "13", "14")
      and (
        matches(target_object, ".*\\\\SECURITY\\\\Cache.*")
        or matches(target_object, ".*\\\\SECURITY\\\\Policy\\\\Secrets\\\\NL\$.*")
      )
      and !matches(toLowerCase(process_image), ".*(lsass|svchost|services)\.exe")
    )
    or (
      event_id = "11"
      and (
        matches(target_filename, "/var/lib/sss/db/.*")
        or matches(target_filename, "/var/opt/quest/vas/authcache/.*")
      )
      and !matches(toLowerCase(process_image), ".*sssd.*")
    )
  )
| eval detection_type = if(event_id = "1", "Process-CredDumpTool",
    if(event_id in ("12","13","14"), "Registry-LSACache", "File-SSSDCache"))
| fields _messageTime, computer, user, process_image, command_line, target_object, target_filename, detection_type, event_id
| sort by _messageTime desc
critical severity high confidence

Sumo Logic query detecting T1003.005 cached credential access via Sysmon event parsing. Identifies process creation of known credential dumping tools, unauthorized registry access to SECURITY\Cache and NL$ policy secrets, and file-level access to Linux SSSD credential databases. Classifies findings by detection type for triage prioritization.

Data Sources

Windows Sysmon logs via Sumo Logic collectorLinux syslog via Sumo Logic installed collector

Required Tables

_sourceCategory=windows/sysmon_sourceCategory=os/windows/sysmon

False Positives & Tuning

  • Enterprise endpoint management platforms (Microsoft SCCM, Tanium) performing registry enumeration during inventory scans — add known management process names to exclusion list
  • Windows credential roaming or Credential Manager synchronization processes that legitimately access SECURITY hive subkeys
  • Security compliance scanning tools (CIS-CAT, SCAP) checking LSA configuration — identify by scan schedule and source IP correlation
Download portable Sigma rule (.yml)

Other platforms for T1003.005

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Mimikatz Cached Domain Credentials Dump

    Expected signal: Sysmon Event ID 1: Process Create for mimikatz.exe with 'lsadump::cache' in CommandLine. Sysmon Event ID 12/13: Registry access to HKLM\SECURITY\Cache by mimikatz.exe. Security Event ID 4688 for mimikatz.exe.

  2. Test 2Check Cached Credential Count via Registry

    Expected signal: Sysmon Event ID 12: Registry Key Opened for HKLM\SECURITY\Cache (if Sysmon is configured to log registry reads). Security Event ID 4656/4663 if registry auditing is enabled. Process Create for reg.exe.

  3. Test 3Linux SSSD Cache Access Simulation

    Expected signal: Linux auditd events for file access on /var/lib/sss/db/ by non-sssd processes. Syslog entries for file access audit events. Process creation events for ls, file, and stat commands.

Last updated: 2026-04-13 Research depth: deep
References (6)

Unlock Pro Content

Get the full detection package for T1003.005 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1003OS Credential Dumping

Related Sub-techniques

T1003.001LSASS MemoryT1003.002Security Account ManagerT1003.003NTDST1003.004LSA SecretsT1003.006DCSyncT1003.007Proc FilesystemT1003.008/etc/passwd and /etc/shadow

Related Techniques

T1003OS Credential DumpingT1003.004LSA SecretsT1110.002Password CrackingT1003.002Security Account ManagerT1078.002Domain Accounts

Same Tactic: Credential Access

Popular Detections