Our presentation will be on auditing cached Windows credentials using a combination of the cachedump tool and a custom Visual Basic script. The default behavior of Microsoft Windows domain members is to cache the last 10 different login credentials in the registry. One of the easiest ways to obtain Domain Administrator privilege on a Windows Domain is to compromise a desktop, laptop or member server and use the cachedump tool to reveal the cached domain credentials. The attacker will then launch a brute force or dictionary cracking attack against the cached credentials. This can lead to complete compromise of the entire domain if the cracked password corresponds to an account that is a member of the Domain Admins group. The presentation will show how to utilize the cachedump utility in conjunction with a Visual Basic script to remove cached credentials from systems based upon the group membership of the user in Active Directory. This will be illustrated in a test domain environment using VMWare and all source code for the Visual Basic script will be provided. The circumstances under which credentials are cached will be listed (console login, runas, RDP, etc) along with the current configuration options available to stop them from being cached. Lastly, suggestions will be presented for Microsoft to update their login process and group policy settings to allow for more granular control of which credentials will be cached.