Live Active security incident? Get immediate response
MITRE ATT&CK® Tool

S0119: Cachedump

Cachedump is a publicly-available tool that program extracts cached password hashes from a system’s registry. [1]

EnterpriseS0119ToolObject v1.1 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

Cachedump matters because it targets a Windows convenience feature: cached domain credentials that allow logon when a domain controller is unavailable. If an attacker can extract those hashes from the registry, the organization may face credential exposure that complicates incident containment, identity recovery, and trust decisions for affected endpoints.

Executive priority

Treat this as an identity-risk and resilience issue, not just a malware/tool signature. Leaders should ask whether Windows systems cache domain credentials, which systems are most business-critical, whether endpoint and registry telemetry is retained, and whether IR teams can quickly determine which accounts may need password resets or broader credential hygiene actions. The ATT&CK relationship to Cached Domain Credentials (T1003.005) places the defensive priority on credential-access readiness; the APT1 reference provides historical threat-intelligence context, not proof of current activity in any environment.

Technical view

Cachedump is a publicly available Windows tool that extracts cached password hashes from the registry. SOC and IR teams should validate visibility for suspicious process execution and registry access associated with cached domain credential extraction, especially on endpoints where domain users log on. Because ATT&CK provides no official detection text for this tool, detections should be built around the related behavior, T1003.005 Cached Domain Credentials, and tuned with local baselines for legitimate administration, forensic collection, and security testing activity.

Likely telemetry

  • Windows process creation and command-line telemetry
  • Endpoint detection and response events for credential-access behavior
  • Windows registry access/audit telemetry for credential cache-related areas
  • File creation, download, or execution evidence for publicly available credential-dumping tools
  • Authentication and account activity logs used during post-collection scoping

Detection direction

  • Confirm that Windows endpoint telemetry includes process execution and registry access events, not only authentication logs.
  • Build behavior-based detections for unusual processes accessing cached domain credential material in the registry rather than relying only on a tool name.
  • Correlate suspected cached-credential extraction with privileged account use, recent interactive logons, and affected host criticality to support IR prioritization.
  • Tune for false positives from approved incident response, forensic, penetration testing, and endpoint security tools that may legitimately inspect credential-related registry data.
  • Document gaps where registry auditing is disabled, endpoint agents are absent, or telemetry retention is too short to support credential-exposure scoping.

Mitigation priorities

  • Review and minimize cached domain credential exposure on Windows systems where operationally feasible.
  • Limit administrative privileges and interactive logon rights on high-value endpoints and servers.
  • Harden endpoint controls to restrict unauthorized tool execution and suspicious registry access.
  • Prepare IR playbooks for determining affected accounts, resetting credentials, and validating whether credential access led to further activity.
  • Use compliance and audit evidence to show that identity telemetry, endpoint logging, and credential-handling controls are operating as intended.
Analyst notes and limits

The supplied ATT&CK object identifies Cachedump as a publicly available Windows tool and links it to T1003.005 Cached Domain Credentials. The relationship showing APT1 use should be treated as source-backed historical context from the Mandiant APT1 report, not as a current-exploitation claim. The most useful defensive work is validating whether the organization can detect and scope cached credential extraction on Windows endpoints.

ATT&CK provides no official detection guidance, no aliases, no labels, and no tool-level tactics for this object. Local operating system configuration, registry auditing, endpoint coverage, credential-cache policy, and approved administrative tooling are required to turn this into reliable detections and response decisions.

Official MITRE ATT&CK definition

Cachedump

Cachedump is a publicly-available tool that program extracts cached password hashes from a system’s registry. [1]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1003.005 Cached Domain Credentials Sub-technique

Cachedump can extract cached password hashes from cache entry information.CitationMandiant APT1
Associated objects

Groups, software, and campaigns

Group Enterprise

G0006: APT1

APT1 is a Chinese threat group that has been attributed to the 2nd Bureau of the People’s Liberation Army (PLA) General Staff Department’s (GSD) 3rd Department, commonly known by its Military Unit Cover Designator (MUCD) as Unit 61398. [1]

Relationship explorer

All related ATT&CK context

uses · Group G0006: APT1 Enterprise uses · Technique T1003.005: Cached Domain Credentials Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.1
Created
Modified
Raw hash
29bebe28be42b037...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.1 Current bundle 29bebe28be42…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    Mandiant APT1

    Mandiant. (n.d.). APT1 Exposing One of China’s Cyber Espionage Units. Retrieved July 18, 2016.

    Open source URL
  2. [2]
    mitre-attack S0119
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use