Logo
RSS Feed

🏺 Cache

Created: 21.06.2023

This is about … .

🏺 SECURITY\Cache (requires πŸ‘‘ to access). These credentials are in mscash2 format (persists indefinitely). Use πŸ› οΈ creddump to extract hashes from the hive (offline).

❗️Can’t be used in pass-the-hash attacks because they are salted and encrypted.

By default, up to 25 hashes can be stored in the cache when someone logs in interactively. But how many hashes would be on a typical workstation? Hardly even 10. Attackers hope something interesting is left there.

References

Expand… Something here