New We plan on releasing bi-monthly edits and updates to the OS-CFDB project! Please check out the search function!

MsCacheV2 Misconfiguration

4

VSR

6.0 – 7.9

CVSS

High

Risk

OS-CFDB-1007

ID

Finding MITRE ATT&CK Corelation

Name Tactic ID Link
Credential Dumping Credential Access T1003 https://attack.mitre.org/wiki/Technique/T1003

Finding Metadata

Finding Service(s)

Service
Internal Penetration Testing
External Penetration Testing

NIST 800-53 Control(s)

NIST
CM-2
CM-6
IA-2
IA-3

Finding Development

Author Name Twitter Handle Email Created Updated

Technical Information

Description

The technical overview of a finding, not meant to be all-inclusive.

MsCacheV2 is a Microsoft implementation of local password storage for domain users. These credentials are implemented using the registry and the local SAM hive. By default, Windows caches up to 10 credentials locally and removes the oldest credential as they populate to the host. Caching takes place for Interactive Logons (Type 2), Service Logon (Type 5), and Remote Interactive Logons (Type 10).

Impact

How a finding result will affect an organization.

If an attacker can gain elevated system privileges on a compromised host, the attacker could gather MsCacheV2 credentials. These hashes could then be potentially cracked using the PBKDF2 hashing algorithm, which uses the “Username” as the known salt value. Cracked MsCacheV2 credentials could potentially be used for further lateral movement or compromise of internal domain systems.

Recommendation

Current plan of action recomended.

The assessment team recommends that MsCacheV2 credential caching is limited to three accounts at any given time. This setting can be adjusted via GPO (Group Policy Objects).