Esc
Cached Domain Credentials - T1003.005

(ATT&CK® Technique)
Definition

Adversaries may attempt to access cached domain credentials used to allow authentication to occur in the event a domain controller is unavailable.
D3FEND Inferred Relationships

Browse the D3FEND knowledge graph by clicking on the nodes below.
        graph LR;

     T1003005["Cached Domain Credentials"] --> |accesses| EncryptedCredential["Encrypted Credential"]; class T1003005 OffensiveTechniqueNode;
        class EncryptedCredential ArtifactNode; click EncryptedCredential href "/dao/artifact/d3f:EncryptedCredential";
        click T1003005 href "/offensive-technique/attack/T1003.005/"; click EncryptedCredential href "/dao/artifact/d3f:EncryptedCredential"; T1003005["Cached Domain Credentials"] --> |may-modify| Log["Log"]; class T1003005 OffensiveTechniqueNode;
        class Log ArtifactNode; click Log href "/dao/artifact/d3f:Log";
        click T1003005 href "/offensive-technique/attack/T1003.005/"; click Log href "/dao/artifact/d3f:Log";                          DecoyUserCredential["Decoy User Credential"] -->
          | spoofs | EncryptedCredential["Encrypted Credential"];

          DecoyUserCredential["Decoy User Credential"] -.->
            | may-deceive | T1003005["Cached Domain Credentials"] ;
          class DecoyUserCredential DefensiveTechniqueNode;
          class EncryptedCredential ArtifactNode;
          click DecoyUserCredential href "/technique/d3f:DecoyUserCredential"; CredentialCompromiseScopeAnalysis["Credential Compromise Scope Analysis"] -->
          | analyzes | EncryptedCredential["Encrypted Credential"];

          CredentialCompromiseScopeAnalysis["Credential Compromise Scope Analysis"] -.->
            | may-detect | T1003005["Cached Domain Credentials"] ;
          class CredentialCompromiseScopeAnalysis DefensiveTechniqueNode;
          class EncryptedCredential ArtifactNode;
          click CredentialCompromiseScopeAnalysis href "/technique/d3f:CredentialCompromiseScopeAnalysis";                           CredentialRevocation["Credential Revocation"] -->
          | deletes | EncryptedCredential["Encrypted Credential"];

          CredentialRevocation["Credential Revocation"] -.->
            | may-evict | T1003005["Cached Domain Credentials"] ;
          class CredentialRevocation DefensiveTechniqueNode;
          class EncryptedCredential ArtifactNode;
          click CredentialRevocation href "/technique/d3f:CredentialRevocation"; CredentialRotation["Credential Rotation"] -->
          | regenerates | EncryptedCredential["Encrypted Credential"];

          CredentialRotation["Credential Rotation"] -.->
            | may-harden | T1003005["Cached Domain Credentials"] ;
          class CredentialRotation DefensiveTechniqueNode;
          class EncryptedCredential ArtifactNode;
          click CredentialRotation href "/technique/d3f:CredentialRotation"; Multi-factorAuthentication["Multi-factor Authentication"] -->
          | uses | EncryptedCredential["Encrypted Credential"];

          Multi-factorAuthentication["Multi-factor Authentication"] -.->
            | may-harden | T1003005["Cached Domain Credentials"] ;
          class Multi-factorAuthentication DefensiveTechniqueNode;
          class EncryptedCredential ArtifactNode;
          click Multi-factorAuthentication href "/technique/d3f:Multi-factorAuthentication";                                        CredentialHardening["Credential Hardening"] -->
          | hardens | EncryptedCredential["Encrypted Credential"];

          CredentialHardening["Credential Hardening"] -.->
            | may-harden | T1003005["Cached Domain Credentials"] ;
          class CredentialHardening DefensiveTechniqueNode;
          class EncryptedCredential ArtifactNode;
          click CredentialHardening href "/technique/d3f:CredentialHardening";    AuthenticationCacheInvalidation["Authentication Cache Invalidation"] -->
          | deletes | EncryptedCredential["Encrypted Credential"];

          AuthenticationCacheInvalidation["Authentication Cache Invalidation"] -.->
            | may-evict | T1003005["Cached Domain Credentials"] ;
          class AuthenticationCacheInvalidation DefensiveTechniqueNode;
          class EncryptedCredential ArtifactNode;
          click AuthenticationCacheInvalidation href "/technique/d3f:AuthenticationCacheInvalidation";              CredentialTransmissionScoping["Credential Transmission Scoping"] -->
          | isolates | EncryptedCredential["Encrypted Credential"];

          CredentialTransmissionScoping["Credential Transmission Scoping"] -.->
            | may-isolate | T1003005["Cached Domain Credentials"] ;
          class CredentialTransmissionScoping DefensiveTechniqueNode;
          class EncryptedCredential ArtifactNode;
          click CredentialTransmissionScoping href "/technique/d3f:CredentialTransmissionScoping"; ReissueCredential["Reissue Credential"] -->
          | restores | EncryptedCredential["Encrypted Credential"];

          ReissueCredential["Reissue Credential"] -.->
            | may-restore | T1003005["Cached Domain Credentials"] ;
          class ReissueCredential DefensiveTechniqueNode;
          class EncryptedCredential ArtifactNode;
          click ReissueCredential href "/technique/d3f:ReissueCredential";
json