| ID | Name |
|---|---|
| ATAGS-T1121.001 | /etc/passwd and /etc/shadow |
| ATAGS-T1121.002 | Cached Domain Credentials |
| ATAGS-T1121.003 | DCSync |
| ATAGS-T1121.004 | LSA Secrets |
| ATAGS-T1121.005 | LSASS Memory |
| ATAGS-T1121.006 | NTDS |
| ATAGS-T1121.007 | Proc Filesystem |
| ATAGS-T1121.008 | Security Account Manager |
Threat Actors may attempt to access cached domain credentials used to allow authentication to occur in the event a domain controller is unavailable.
This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.