Cached domain credentials (also called MSCache or DCC2) are hashes of domain users’ passwords that Windows stores locally so a user can log in when no Domain Controller is reachable (laptops, remote sites). They are kept in the SECURITY hive. Unlike NT hashes they cannot be passed, only cracked offline, but a weak password cracks quickly. Dumping them with local admin yields domain passwords for everyone who has logged into that machine, including admins.
What cached domain credentials are
When a domain user logs into a Windows machine, the OS caches a verifier of their domain password locally so they can still log in if the Domain Controller is offline. This is the MSCache v2 (DCC2) format, stored in LSA secrets within the SECURITY hive.
By default the last several logons are cached, so a shared workstation or a server that admins log into holds multiple domain users’ cached credentials.
The dump and payload
With local admin or SYSTEM, dump the cache and crack it:
- Extract DCC2 hashes:
secretsdump.py -security security.hiv -system system.hiv LOCAL(shows$DCC2$entries). - These cannot be passed (the format is not usable for Pass-the-Hash), so crack them offline:
hashcat -m 2100 dcc2.txt wordlist. - A weak domain password cracks fast, handing the attacker a cleartext domain credential, potentially an admin who logged in once.
Documented techniques shown for defenders.
How to defend
- Reduce the number of cached logons via policy (down to 1 or 0 on sensitive hosts) so fewer credentials sit on each machine.
- Keep privileged accounts off ordinary workstations so their credentials are never cached there (tiered administration).
- Enforce strong domain passwords so DCC2 hashes resist cracking.
- Limit local-admin rights needed to dump the SECURITY hive.
- Detect SECURITY hive access and offline-cracking indicators.
References
- [1]MITRE ATT&CK: OS Credential Dumping (T1003)(MITRE)
- [2]Microsoft: Windows credential protection(Microsoft)
- [3]MITRE ATT&CK: Credential Access (TA0006)(MITRE)