| description |
|---|
MITRE ATT&CK, Credential Access, Sub-technique T1003.005 |
With SYSTEM access, an attacker can dump cached credentials with Mimikatz or Secretsdump. Note that DCC hashes take significantly longer to crack than an NT or Net-NTLM hashes. I recommend using a simple password and rule list that has been tailored to your target first.
To crack these with Hashcat, the hash needs to be in the following format:
$DCC2$10240#parzival#e4e938d12fe5974dc42a90120bd9c90fAfter ensuring the hash is formatted appropriately, they can be cracked with the following command:
hashcat -m 2100 $dcc_file $wordlistThe following settings can be configured to remove cached domain credentials from LSA Secrets:
Cached credential set to 0 on servers
Cached credential set to 1 on workstations{% embed url="https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dumping-and-cracking-mscash-cached-domain-credentials" %}