T1558.005: Ccache Files

Ccache file theft matters because Kerberos tickets can let an intruder authenticate as a legitimate Linux or macOS user without knowing that user’s password. For leaders, the practical risk is not the file itself; it is whether stolen short-lived session credentials can become a path to privileged access, Pass-the-Ticket activity, or movement into other services before defenders notice.

Executive priority

Prioritize this where Linux or macOS systems participate in Kerberos realms or hold privileged user sessions. Executives should ask whether teams know where Kerberos credential caches are stored, whether access to those locations is restricted, and whether audit evidence exists for suspicious access to ccache files, Kerberos configuration, and ticket-management utilities. This is especially relevant to incident response readiness because password resets alone may not address active ticket abuse during an intrusion.

Technical view

This is a credential-access sub-technique of Steal or Forge Kerberos Tickets focused on ccache files on Linux and macOS. Validate host coverage for Linux paths such as /tmp files named krb5cc_%UID% or krb5.ccache, configuration references in /etc/krb5.conf, and use of the KRB5CCNAME environment variable. On macOS, account for default memory-backed API:{uuid} cache behavior and potential interaction through Kerberos framework APIs. DET0024 is the related detection strategy, and teams should also consider relationship context to Pass the Ticket and Impacket when triaging Kerberos-related credential activity.

Likely telemetry

Linux filesystem access events for /tmp/krb5cc_%UID% and krb5.ccache-style files
Reads or changes involving /etc/krb5.conf
Process execution for Kerberos ticket utilities such as kinit and klist
Environment variable visibility for KRB5CCNAME where available
macOS process and API-adjacent telemetry related to Kerberos credential cache interaction

Detection direction

Confirm whether DET0024-style logic is implemented for the organization’s Linux and macOS estate rather than assuming Windows Kerberos detections cover this behavior.
Baseline legitimate administrative and user interaction with kinit, klist, and ccache locations to reduce false positives.
Look for unusual users, processes, or session contexts accessing ccache files, Kerberos configuration, or cache locations outside expected workflows.
Correlate suspected cache access with later Kerberos authentication, Pass-the-Ticket indicators, privilege escalation, or lateral movement activity where telemetry exists.
Account for blind spots: official ATT&CK detection text is not provided, macOS caches may be memory-backed by default, and environment-specific Kerberos configurations can change cache locations.

Mitigation priorities

Apply Credential Access Protection by restricting access to credential storage mechanisms and hardening systems that store or handle Kerberos tickets.
Use auditing to record and review access to ccache storage locations, Kerberos configuration, ticket utilities, and relevant authentication activity.
Validate Kerberos cache location settings from /etc/krb5.conf and KRB5CCNAME so controls follow the actual environment, not only default paths.
During incident response, treat suspected ccache theft as potential ticket abuse and validate whether active Kerberos sessions or downstream service access require containment beyond password changes.

Analyst notes and limits

The supplied ATT&CK object is limited to Linux and macOS platforms and credential-access tactics. Relationship context links the behavior to DET0024, M1043 Credential Access Protection, M1047 Audit, parent technique T1558, and software S0357 Impacket. The business value is in validating whether host telemetry, Kerberos audit evidence, and IR playbooks can identify and contain ticket theft before it becomes authenticated activity.

Official detection content is not provided in the supplied object. This take does not assert active exploitation, attribution, or guaranteed detection. Local Kerberos configuration, endpoint telemetry depth, and macOS cache implementation details must be verified in the customer environment.

Official MITRE ATT&CK definition

Ccache Files

Adversaries may attempt to steal Kerberos tickets stored in credential cache files (or ccache). These files are used for short term storage of a user's active session credentials. The ccache file is created upon user authentication and allows for access to multiple services without the user having to re-enter credentials.

The /etc/krb5.conf configuration file and the KRB5CCNAME environment variable are used to set the storage location for ccache entries. On Linux, credentials are typically stored in the `/tmp` directory with a naming format of `krb5cc_%UID%` or `krb5.ccache`. On macOS, ccache entries are stored by default in memory with an `API:{uuid}` naming scheme. Typically, users interact with ticket storage using kinit, which obtains a Ticket-Granting-Ticket (TGT) for the principal; klist, which lists obtained tickets currently held in the credentials cache; and other built-in binaries.[1][2]

Adversaries can collect tickets from ccache files stored on disk and authenticate as the current user without their password to perform Pass the Ticket attacks. Adversaries can also use these tickets to impersonate legitimate users with elevated privileges to perform Privilege Escalation. Tools like Kekeo can also be used by adversaries to convert ccache files to Windows format for further Lateral Movement. On macOS, adversaries may use open-source tools or the Kerberos framework to interact with ccache files and extract TGTs or Service Tickets via lower-level APIs.[3][4][5][6]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Related techniques

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

Filter related techniques 1 rows

Domain	ID	Name	Relationship / procedure
Enterprise	T1558	Steal or Forge Kerberos Tickets	This object subtechnique of Steal or Forge Kerberos Tickets.

Associated objects

Groups, software, and campaigns

S0357: Impacket

Impacket is an open source collection of modules written in Python for programmatically constructing and manipulating network protocols. Impacket contains several tools for remote service execution, Kerberos manipulation, Windows credential dumping, packet sniffing, and relay attacks.[1]

LinuxmacOSWindows

Relationship explorer

All related ATT&CK context

detects · Detection Strategy DET0024: Detect Kerberos Ccache File Theft or Abuse (T1558.005) Enterprise uses · Tool S0357: Impacket Enterprise mitigates · Mitigation M1047: Audit Enterprise mitigates · Mitigation M1043: Credential Access Protection Enterprise subtechnique of · Technique T1558: Steal or Forge Kerberos Tickets Enterprise

Mitigations

Mitigation direction

M1047: Audit

Auditing is the process of recording activity and systematically reviewing and analyzing the activity and system configurations. The primary purpose of auditing is to detect anomalies and identify potential threats or weaknesses in the environment. Proper auditing configurations can also help to meet compliance requirements. The process of auditing encompasses regular analysis of user behaviors and system logs in support of proactive security measures.

Auditing is applicable to all systems used within an organization, from the front door of a building to accessing a file on a fileserver. It is considered more critical for regulated industries such as, healthcare, finance and government where compliance requirements demand stringent tracking of user and system activates.This mitigation can be implemented through the following measures:

System Audit:

- Use Case: Regularly assess system configurations to ensure compliance with organizational security policies. - Implementation: Use tools to scan for deviations from established benchmarks.

Permission Audits:

- Use Case: Review file and folder permissions to minimize the risk of unauthorized access or privilege escalation. - Implementation: Run access reviews to identify users or groups with excessive permissions.

Software Audits:

- Use Case: Identify outdated, unsupported, or insecure software that could serve as an attack vector. - Implementation: Use inventory and vulnerability scanning tools to detect outdated versions and recommend secure alternatives.

Configuration Audits:

- Use Case: Evaluate system and network configurations to ensure secure settings (e.g., disabled SMBv1, enabled MFA). - Implementation: Implement automated configuration scanning tools like SCAP (Security Content Automation Protocol) to identify non-compliant systems.

Network Audits:

- Use Case: Examine network traffic, firewall rules, and endpoint communications to identify unauthorized or insecure connections. - Implementation: Utilize tools such as Wireshark, or Zeek to monitor and log suspicious network behavior.

M1043: Credential Access Protection

Credential Access Protection focuses on implementing measures to prevent adversaries from obtaining credentials, such as passwords, hashes, tokens, or keys, that could be used for unauthorized access. This involves restricting access to credential storage mechanisms, hardening configurations to block credential dumping methods, and using monitoring tools to detect suspicious credential-related activity. This mitigation can be implemented through the following measures:

Restrict Access to Credential Storage:

- Use Case: Prevent adversaries from accessing the SAM (Security Account Manager) database on Windows systems. - Implementation: Enforce least privilege principles and restrict administrative access to credential stores such as `C:\Windows\System32\config\SAM`.

Use Credential Guard:

- Use Case: Isolate LSASS (Local Security Authority Subsystem Service) memory to prevent credential dumping. - Implementation: Enable Windows Defender Credential Guard on enterprise endpoints to isolate secrets and protect them from unauthorized access.

Monitor for Credential Dumping Tools:

- Use Case: Detect and block known tools like Mimikatz or Windows Credential Editor. - Implementation: Flag suspicious process behavior related to credential dumping.

Disable Cached Credentials:

- Use Case: Prevent adversaries from exploiting cached credentials on endpoints. - Implementation: Configure group policy to reduce or eliminate the use of cached credentials (e.g., set Interactive logon: Number of previous logons to cache to 0).

Enable Secure Boot and Memory Protections:

- Use Case: Prevent memory-based attacks used to extract credentials. - Implementation: Configure Secure Boot and enforce hardware-based security features like DEP (Data Execution Prevention) and ASLR (Address Space Layout Randomization).

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release: 19.1
Object version: 1.0
Created: Sep 17, 2024, 15:02 UTC (UTC+00:00)
Modified: Apr 15, 2025, 21:56 UTC (UTC+00:00)
Raw hash: c68775d1274ea6e8...

Imported snapshots across ATT&CK releases (1)

Release	Bundle imported	Object version	Modified	Status	Raw hash
19.1	May 18, 2026, 07:08 UTC (UTC+00:00)	1.0	Apr 15, 2025, 21:56 UTC (UTC+00:00)	Current bundle	`c68775d1274e…`

Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy

Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

[1]
Kerberos GNU/Linux

Adepts of 0xCC. (2021, January 28). The Kerberos Credential Thievery Compendium (GNU/Linux). Retrieved September 17, 2024.
Open source URL
[2]
Binary Defense Kerberos Linux

ARC Labs, Dwyer, John. Gonzalez, Eric. Hudak, Tyler. (2024, October 1). Shining a Light in the Dark – How Binary Defense Uncovered an APT Lurking in Shadows of IT. Retrieved October 7, 2024.
Open source URL
[3]
SpectorOps Bifrost Kerberos macOS 2019

Cody Thomas. (2019, November 14). When Kirbi walks the Bifrost. Retrieved October 6, 2021.
Open source URL
[4]
Linux Kerberos Tickets

Trevor Haskell. (2020, April 1). Kerberos Tickets on Linux Red Teams. Retrieved October 4, 2021.
Open source URL
[5]
Brining MimiKatz to Unix

Tim Wadhwa-Brown. (2018, November). Where 2 worlds collide Bringing Mimikatz et al to UNIX. Retrieved October 13, 2021.
Open source URL
[6]
Kekeo

Benjamin Delpy. (n.d.). Kekeo. Retrieved October 4, 2021.
Open source URL
[7]
mitre-attack T1558.005
Open source URL

Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use

Analyst context for executives and security teams