title: Cached Domain Credentials (T1003.005)
id: df00tech-t1003-005
status: experimental
description: "Adversaries access cached domain credentials (DCC2/MS-Cache v2) stored locally for offline authentication when domain controllers are unavailable. On Windows, these are stored as MSCACHE v2 (PBKDF2-derived) hashes in HKLM\\SECURITY\\Cache and cannot be used for pass-the-hash but can be cracked offline. Linux systems using SSSD store cached credentials at /var/lib/sss/db/cache.[domain].ldb. Tools include Mimikatz (lsadump::cache), LaZagne, Cachedump, and Quarks PwDump. Used by Okrum, APT33, OilRig, Leafminer, MuddyWater."
references:
  - https://attack.mitre.org/techniques/T1003/005/
  - https://df00tech.com/detections/T1003.005
author: df00tech
date: 2026/04/13
tags:
  - attack.t1003.005
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - Security auditing tools inventorying cached credentials as part of authorized security assessments
  - "Incident response tooling that reads SECURITY\\Cache for forensic purposes during authorized investigations"
  - Enterprise password auditing solutions scanning cached credential strength
  - Backup agents with SYSTEM privileges reading SECURITY hive including Cache key
level: high