This is about … .
πΊ SECURITY\Cache (requires π to access). These credentials are in mscash2 format (persists indefinitely). Use π οΈ creddump to extract hashes from the hive (offline).
βοΈCan’t be used in pass-the-hash attacks because they are salted and encrypted.
By default, up to 25 hashes can be stored in the cache when someone logs in interactively. But how many hashes would be on a typical workstation? Hardly even 10. Attackers hope something interesting is left there.