Live Active security incident? Get immediate response
MITRE ATT&CK® Detection Strategy

DET0513: Detection of Cached Domain Credential Dumping via Local Hash Cache Access

DET0513 is a MITRE ATT&CK detection strategy for identifying attempts to dump cached domain credentials by accessing local hash caches. Its practical value...

EnterpriseDET0513Detection StrategyObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

DET0513 is a MITRE ATT&CK detection strategy for identifying attempts to dump cached domain credentials by accessing local hash caches. Its practical value is that cached credentials can preserve access when domain controllers are unavailable, so abuse of those local caches is a credential-access concern that can affect incident containment, account reset decisions, and confidence in endpoint hygiene.

Executive priority

Treat this as a credential-access detection priority tied to ATT&CK T1003.005, Cached Domain Credentials. Security leaders should ask whether SOC and incident response teams can prove they collect and review evidence of local cached credential access on systems where domain authentication is used. The business decision value is in reducing uncertainty during an intrusion: if cached credential access cannot be detected or scoped, responders may need broader account protection, endpoint containment, and audit follow-up.

Technical view

The supplied detection strategy has no official description, detection logic, tactics, or platforms of its own. Its only provided relationship is that it detects T1003.005, which is a credential-access technique involving cached domain credentials and is associated with Windows and Linux in the related ATT&CK object. Detection engineering should therefore validate coverage around local hash cache access and credential material handling on relevant endpoints, while avoiding assumptions that DET0513 itself defines a complete analytic or platform-specific implementation.

Likely telemetry

  • Endpoint security events showing access to local credential or hash cache locations
  • Operating system audit logs for sensitive file, registry, or credential-store access where configured
  • Process execution and command-line telemetry around tools or processes interacting with credential cache material
  • File access telemetry for protected authentication-related data stores
  • Privilege-use and account-context telemetry showing which user or process accessed cached credential material

Detection direction

  • Map existing analytics to T1003.005 rather than treating DET0513 as a complete detection rule, because the ATT&CK object does not provide official detection text.
  • Validate that telemetry exists before tuning: many gaps will be caused by missing endpoint file-access, process, or privilege-use visibility rather than poor rule logic.
  • Prioritize context-rich alerts where suspicious local credential cache access is paired with unusual process lineage, elevated privileges, or activity on systems that store domain cached credentials.
  • Tune carefully for administrative and security tooling that may legitimately inspect authentication-related artifacts during backup, compliance, forensics, or endpoint protection operations.
  • Use the relationship to Cached Domain Credentials to drive IR scoping: determine which hosts had local cache access, which accounts may be represented in those caches, and whether additional credential protection actions are needed.

Mitigation priorities

  • First confirm whether systems retain cached domain credentials and whether that configuration aligns with operational resilience requirements.
  • Reduce unnecessary cached credential exposure where business continuity requirements allow, recognizing that cached credentials support authentication when a domain controller is unavailable.
  • Harden and monitor privileged access to endpoints that may store cached domain credentials.
  • Ensure incident response playbooks include host containment, credential scoping, and account protection steps when cached credential access is suspected.
  • Maintain audit evidence showing what telemetry is collected for credential-access behavior and how it supports detection and response for T1003.005.
Analyst notes and limits

This take is based on the official DET0513 metadata and its relationship to T1003.005. The detection strategy object itself is sparse: no official description, detection logic, tactics, or platforms are provided. The related technique supplies the credential-access context and the Windows/Linux platform association.

Local implementation details are required to turn this into deployable detection content. The provided ATT&CK fields do not specify exact data sources, event IDs, tool names, queries, thresholds, or guaranteed detection methods. Coverage claims should be validated against the organization’s actual endpoint logging, operating system configuration, and response procedures.

Official MITRE ATT&CK definition

Detection of Cached Domain Credential Dumping via Local Hash Cache Access

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1003.005 Cached Domain Credentials Sub-technique This object detects Cached Domain Credentials.
Relationship explorer

All related ATT&CK context

detects · Technique T1003.005: Cached Domain Credentials Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
25d974b9d9c83e90...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 25d974b9d9c8…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DET0513
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use