Understanding Cached Domain Credentials in Windows

In a Windows domain environment, authentication is usually handled by the domain controller (DC). But what happens when a system is offline or unable to communicate with the DC? To prevent users from being locked out, Windows caches the last few logon credentials by default. This means that even if the DC is unreachable, users can still log in using their previously authenticated credentials.

By default, Windows caches the last ten logon hashes, and in Server 2008, this number was increased to 25. This might not seem like a big deal, but consider how many users typically log into a workstation—usually less than ten! This means cached credentials can remain stored on a system for an extended period, which could be a security risk. If a high-privilege account, such as a domain administrator, has logged in at some point, its credentials might still be cached, potentially making it a target for attackers.

Where Are Cached Credentials Stored?

Cached credentials are stored in the Security registry hive

SECURITY\Cache key

Accessing these stored credentials requires administrator or SYSTEM privileges. In modern Windows versions, these credentials are stored in the mscash2 format, which includes a hash salt of the username to prevent precomputed attacks.

Since these credentials reside in the registry, they persist even after a reboot. Attackers can extract them offline using tools like creddump, which allows for credential retrieval from exported registry hives. However, unlike NTLM hashes, mscash2 hashes cannot be used in pass-the-hash (PtH) attacks. Instead, attackers must brute-force them using tools like John the Ripper or Hashcat. If the organization enforces strong password policies, cracking these hashes becomes significantly more difficult.

How Attackers Exploit Cached Credentials

Attackers are always looking for ways to extract credentials stealthily. One method is to avoid running suspicious tools on a compromised system and instead extract the relevant registry hives for offline analysis. This approach minimizes detection risks, as security tools often monitor active credential-dumping activities but may not flag simple registry exports.

A common attack technique involves using creddump, a Python-based tool, to extract both local hashes and cached domain credentials.

The process typically follows these steps:

1. Extracting local account hashes: Attackers dump hashes from the SAM hive using tools like pwdump.py.

2. Extracting cached domain credentials: Using cachedump.py, attackers retrieve cached domain credentials, which are far more valuable since they belong to domain accounts rather than just local accounts.

3. Cracking the hashes: Once extracted, the attacker can use brute-force techniques to decrypt the credentials.

   
   

Cached domain credentials are particularly valuable because they can provide access to privileged accounts. If an administrator has ever logged into a compromised machine, their credentials might still be retrievable.

--------------------------------------------------------------------------------------------------------

Mitigation Strategies

The best way to mitigate cached credential attacks is to limit an attacker’s ability to gain administrator privileges.

1. Limit the Number of Cached Logons

   • The number of cached logons can be reduced in the registry.

     
     

     SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\CachedLogonsCount

     
     

   • The default setting is 10 for workstations and up to 25 for some servers.

   • Security recommendations setting value to four or less. Some environments may even opt for zero or one, but this can have unintended consequences.

     
     

     Be cautious:

     Service accounts and computer account logons are also cached. Smart card logins may count as two cached logons. Setting this value too low could prevent legitimate offline logins.

     
     

2. Use the Protected Users Security Group

   • Starting with Windows 8.1, Microsoft introduced the Protected Users security group, which provides additional safeguards against credential theft.

   • Accounts that belong to this group do not have their credentials cached, making it a valuable tool for protecting high-privilege accounts.

   • This feature is ideal for domain administrators and other high-value accounts, though it may not be feasible for all users.

   
   

Final Thoughts

Understanding how Windows caches credentials is crucial for securing domain environments. While cached credentials provide convenience for offline access, they also introduce security risks if not managed properly.

----------------------------------------Dean------------------------------------------------