title: Ccache Files (T1558.005)
id: df00tech-t1558-005
status: experimental
description: "Adversaries may attempt to steal Kerberos tickets stored in credential cache (ccache) files. These files store short-lived Kerberos session credentials created at authentication, enabling access to network services without re-entering passwords. On Linux, ccache files are typically located in /tmp with names in the format krb5cc_<UID> or krb5.ccache; storage is governed by the KRB5CCNAME environment variable and /etc/krb5.conf. On macOS, ccache entries are held in memory under an API:{uuid} naming scheme, accessible via lower-level Kerberos framework APIs. Adversaries steal these files and replay tickets to authenticate as the victim without knowing their password (Pass the Ticket). Impacket tools including getST.py, getTGT.py, and ticketer.py are commonly used to programmatically interact with ccache files. Kekeo can convert ccache files to Windows kirbi format for reuse on Windows systems, enabling cross-platform lateral movement. Real-world usage includes APT groups operating in Active Directory environments with Linux-integrated systems."
references:
  - https://attack.mitre.org/techniques/T1558/005/
  - https://df00tech.com/detections/T1558.005
author: df00tech
date: 2026/04/13
tags:
  - attack.t1558.005
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "Backup agents (Bacula, Veeam for Linux, Amanda) that scan /tmp during filesystem-level backups will trigger Branch 1"
  - "Security scanning tools (Qualys, Tenable Nessus) performing file discovery across /tmp will generate false positives from Branch 1"
  - "Legitimate Python applications using the gssapi or krb5 Python libraries for service-to-service Kerberos authentication will trigger Branch 2 — common in Hadoop, Spark, and Kafka deployments"
  - System administrators manually running klist followed by cp to clone ccache files for debugging Kerberos delegation or KDC trust issues
  - "Automated CI/CD pipeline agents (Jenkins, GitLab Runner) that use Kerberos credentials for accessing internal NFS shares or Kerberized databases"
level: high