Esc
Cached Domain Credentials - T1003.005
(ATT&CK® Technique)
Definition
Adversaries may attempt to access cached domain credentials used to allow authentication to occur in the event a domain controller is unavailable.
D3FEND Inferred Relationships
Browse the D3FEND knowledge graph by clicking on the nodes below.
graph LR; T1003005["Cached Domain Credentials"] --> |accesses| EncryptedCredential["Encrypted Credential"]; class T1003005 OffensiveTechniqueNode; class EncryptedCredential ArtifactNode; click EncryptedCredential href "/dao/artifact/d3f:EncryptedCredential"; click T1003005 href "/offensive-technique/attack/T1003.005/"; click EncryptedCredential href "/dao/artifact/d3f:EncryptedCredential"; T1003005["Cached Domain Credentials"] --> |may-modify| Log["Log"]; class T1003005 OffensiveTechniqueNode; class Log ArtifactNode; click Log href "/dao/artifact/d3f:Log"; click T1003005 href "/offensive-technique/attack/T1003.005/"; click Log href "/dao/artifact/d3f:Log"; CredentialRevoking["Credential Revoking"] --> | deletes | EncryptedCredential["Encrypted Credential"]; CredentialRevoking["Credential Revoking"] -.-> | May Evict | T1003005["Cached Domain Credentials"] ; class CredentialRevoking DefensiveTechniqueNode; class EncryptedCredential ArtifactNode; click CredentialRevoking href "/technique/d3f:CredentialRevoking"; AuthenticationCacheInvalidation["Authentication Cache Invalidation"] --> | deletes | EncryptedCredential["Encrypted Credential"]; AuthenticationCacheInvalidation["Authentication Cache Invalidation"] -.-> | May Evict | T1003005["Cached Domain Credentials"] ; class AuthenticationCacheInvalidation DefensiveTechniqueNode; class EncryptedCredential ArtifactNode; click AuthenticationCacheInvalidation href "/technique/d3f:AuthenticationCacheInvalidation"; CredentialCompromiseScopeAnalysis["Credential Compromise Scope Analysis"] --> | analyzes | EncryptedCredential["Encrypted Credential"]; CredentialCompromiseScopeAnalysis["Credential Compromise Scope Analysis"] -.-> | May Detect | T1003005["Cached Domain Credentials"] ; class CredentialCompromiseScopeAnalysis DefensiveTechniqueNode; class EncryptedCredential ArtifactNode; click CredentialCompromiseScopeAnalysis href "/technique/d3f:CredentialCompromiseScopeAnalysis"; DecoyUserCredential["Decoy User Credential"] --> | spoofs | EncryptedCredential["Encrypted Credential"]; DecoyUserCredential["Decoy User Credential"] -.-> | May Deceive | T1003005["Cached Domain Credentials"] ; class DecoyUserCredential DefensiveTechniqueNode; class EncryptedCredential ArtifactNode; click DecoyUserCredential href "/technique/d3f:DecoyUserCredential"; CredentialTransmissionScoping["Credential Transmission Scoping"] --> | restricts | EncryptedCredential["Encrypted Credential"]; CredentialTransmissionScoping["Credential Transmission Scoping"] -.-> | May Harden | T1003005["Cached Domain Credentials"] ; class CredentialTransmissionScoping DefensiveTechniqueNode; class EncryptedCredential ArtifactNode; click CredentialTransmissionScoping href "/technique/d3f:CredentialTransmissionScoping"; CredentialRotation["Credential Rotation"] --> | regenerates | EncryptedCredential["Encrypted Credential"]; CredentialRotation["Credential Rotation"] -.-> | May Harden | T1003005["Cached Domain Credentials"] ; class CredentialRotation DefensiveTechniqueNode; class EncryptedCredential ArtifactNode; click CredentialRotation href "/technique/d3f:CredentialRotation"; ReissueCredential["Reissue Credential"] --> | restores | EncryptedCredential["Encrypted Credential"]; ReissueCredential["Reissue Credential"] -.-> | May Restore | T1003005["Cached Domain Credentials"] ; class ReissueCredential DefensiveTechniqueNode; class EncryptedCredential ArtifactNode; click ReissueCredential href "/technique/d3f:ReissueCredential";