Esc
Ccache Files - T1558.005

(ATT&CK® Technique)
Definition

Adversaries may attempt to steal Kerberos tickets stored in credential cache files (or ccache). These files are used for short term storage of a user's active session credentials. The ccache file is created upon user authentication and allows for access to multiple services without the user having to re-enter credentials.
D3FEND Inferred Relationships

Browse the D3FEND knowledge graph by clicking on the nodes below.
        graph LR;

     T1558005["Ccache Files"] --> |may-access| KerberosTicket["Kerberos Ticket"]; class T1558005 OffensiveTechniqueNode;
        class KerberosTicket ArtifactNode; click KerberosTicket href "/dao/artifact/d3f:KerberosTicket";
        click T1558005 href "/offensive-technique/attack/T1558.005/"; click KerberosTicket href "/dao/artifact/d3f:KerberosTicket"; T1558005["Ccache Files"] --> |may-create| KerberosTicket["Kerberos Ticket"]; class T1558005 OffensiveTechniqueNode;
        class KerberosTicket ArtifactNode; click KerberosTicket href "/dao/artifact/d3f:KerberosTicket";
        click T1558005 href "/offensive-technique/attack/T1558.005/"; click KerberosTicket href "/dao/artifact/d3f:KerberosTicket";DecoyUserCredential["Decoy User Credential"] -->
          | spoofs | KerberosTicket["Kerberos Ticket"];

          DecoyUserCredential["Decoy User Credential"] -.->
            | may-deceive | T1558005["Ccache Files"] ;
          class DecoyUserCredential DefensiveTechniqueNode;
          class KerberosTicket ArtifactNode;
          click DecoyUserCredential href "/technique/d3f:DecoyUserCredential";  CredentialCompromiseScopeAnalysis["Credential Compromise Scope Analysis"] -->
          | analyzes | KerberosTicket["Kerberos Ticket"];

          CredentialCompromiseScopeAnalysis["Credential Compromise Scope Analysis"] -.->
            | may-detect | T1558005["Ccache Files"] ;
          class CredentialCompromiseScopeAnalysis DefensiveTechniqueNode;
          class KerberosTicket ArtifactNode;
          click CredentialCompromiseScopeAnalysis href "/technique/d3f:CredentialCompromiseScopeAnalysis";  AuthenticationCacheInvalidation["Authentication Cache Invalidation"] -->
          | deletes | KerberosTicket["Kerberos Ticket"];

          AuthenticationCacheInvalidation["Authentication Cache Invalidation"] -.->
            | may-evict | T1558005["Ccache Files"] ;
          class AuthenticationCacheInvalidation DefensiveTechniqueNode;
          class KerberosTicket ArtifactNode;
          click AuthenticationCacheInvalidation href "/technique/d3f:AuthenticationCacheInvalidation";  CredentialRevocation["Credential Revocation"] -->
          | deletes | KerberosTicket["Kerberos Ticket"];

          CredentialRevocation["Credential Revocation"] -.->
            | may-evict | T1558005["Ccache Files"] ;
          class CredentialRevocation DefensiveTechniqueNode;
          class KerberosTicket ArtifactNode;
          click CredentialRevocation href "/technique/d3f:CredentialRevocation";  CredentialRotation["Credential Rotation"] -->
          | regenerates | KerberosTicket["Kerberos Ticket"];

          CredentialRotation["Credential Rotation"] -.->
            | may-harden | T1558005["Ccache Files"] ;
          class CredentialRotation DefensiveTechniqueNode;
          class KerberosTicket ArtifactNode;
          click CredentialRotation href "/technique/d3f:CredentialRotation";  TokenBinding["Token Binding"] -->
          | strengthens | KerberosTicket["Kerberos Ticket"];

          TokenBinding["Token Binding"] -.->
            | may-harden | T1558005["Ccache Files"] ;
          class TokenBinding DefensiveTechniqueNode;
          class KerberosTicket ArtifactNode;
          click TokenBinding href "/technique/d3f:TokenBinding";  Multi-factorAuthentication["Multi-factor Authentication"] -->
          | uses | KerberosTicket["Kerberos Ticket"];

          Multi-factorAuthentication["Multi-factor Authentication"] -.->
            | may-harden | T1558005["Ccache Files"] ;
          class Multi-factorAuthentication DefensiveTechniqueNode;
          class KerberosTicket ArtifactNode;
          click Multi-factorAuthentication href "/technique/d3f:Multi-factorAuthentication";  Token-basedAuthentication["Token-based Authentication"] -->
          | uses | KerberosTicket["Kerberos Ticket"];

          Token-basedAuthentication["Token-based Authentication"] -.->
            | may-harden | T1558005["Ccache Files"] ;
          class Token-basedAuthentication DefensiveTechniqueNode;
          class KerberosTicket ArtifactNode;
          click Token-basedAuthentication href "/technique/d3f:Token-basedAuthentication";  CredentialTransmissionScoping["Credential Transmission Scoping"] -->
          | isolates | KerberosTicket["Kerberos Ticket"];

          CredentialTransmissionScoping["Credential Transmission Scoping"] -.->
            | may-isolate | T1558005["Ccache Files"] ;
          class CredentialTransmissionScoping DefensiveTechniqueNode;
          class KerberosTicket ArtifactNode;
          click CredentialTransmissionScoping href "/technique/d3f:CredentialTransmissionScoping";  ReissueCredential["Reissue Credential"] -->
          | restores | KerberosTicket["Kerberos Ticket"];

          ReissueCredential["Reissue Credential"] -.->
            | may-restore | T1558005["Ccache Files"] ;
          class ReissueCredential DefensiveTechniqueNode;
          class KerberosTicket ArtifactNode;
          click ReissueCredential href "/technique/d3f:ReissueCredential";  CredentialHardening["Credential Hardening"] -->
          | hardens | KerberosTicket["Kerberos Ticket"];

          CredentialHardening["Credential Hardening"] -.->
            | may-harden | T1558005["Ccache Files"] ;
          class CredentialHardening DefensiveTechniqueNode;
          class KerberosTicket ArtifactNode;
          click CredentialHardening href "/technique/d3f:CredentialHardening";
json