Windows Cached Credentials - securing test endpoints

Hey I have been working with crackmapexec to test security capabilities and the like. I have noticed on my test network that Windows 10 caches MS-Cachev2 credentials for domain accounts. I don’t seem to see a way to wipe these creds from and endpoint. Restarts don’t work. Does anyone know a way to force a clear of all cached credentials from Windows 10?

From memory,
In Control Panel - Credential Manager but I might be talking out of my ■■■■ there

thanks for the idea. Unfortunately that doesn’t list this type of credential cache. that gives the same as ‘cmdkey /list’. With crachmapexec I am scrapping a bunch of other cached creds from LSASS and other sources. And these others aren’t wiping on restarts. Even after putting the account in question in a ‘Protected Users Group’. :frowning: I am hoping there is some python or powershell command for cleaning these out.

For anyone interested, I have found that adding the account to the MS Protected Users Group and then logging in and out with that account on the target does wipe out that account LSA cache. To bad I haven’t found a more surgical wall to do it with a script.

Clear all cached credentials from OS and other apps: Browse code samples | Microsoft Learn

Disable credential caching using GPO/secpol/registry: Interactive logon Number of previous logons to cache (in case domain controller is not available) (Windows 10) | Microsoft Learn

@Ljugtomten Thanks for the reference. This only clears out cred manager. I can do that with powershell. This doesn’t touch the LSA secrets I can scrape with crackmapexec.