DPAPI

• https://habr.com/ru/post/434514/

• https://otterhacker.github.io/Pentest/Techniques/DPAPI.html

Master keys locations (hidden files, need -Force):

PS > ls -Force C:\Users\snovvcrash\AppData\Roaming\Microsoft\Protect\ (%appdata%\Microsoft\Protect\)
PS > ls -Force C:\Users\snovvcrash\AppData\Local\Microsoft\Protect\ (%localappdata%\Microsoft\Protect\)

Credential files locations (hidden files, need -Force):

PS > ls -Force C:\Users\snovvcrash\AppData\Roaming\Microsoft\Credentials\ (%appdata%\Microsoft\Credentials\)
PS > ls -Force C:\Users\snovvcrash\AppData\Local\Microsoft\Credentials\ (%localappdata%\Microsoft\Credentials\)

Unhide files:

PS > cmd /c "attrib -h -s 00ff00ff-00ff-00ff-00ff-00ff00ff00ff"
PS > cmd /c "attrib -h -s 00ff00ff00ff00ff00ff00ff00ff00ff"

Mimikatz

• https://www.harmj0y.net/blog/redteaming/operational-guidance-for-offensive-user-dpapi-abuse/

Decrypt manually offline with known plaintext password:

Impacket

Retrieve the domain DPAPI backup key (never changes) from a DC to decrypt master key and blobs:

SharpDPAPI

• https://github.com/GhostPack/SharpDPAPI#table-of-contents

• https://github.com/S3cur3Th1sSh1t/PowerSharpPack/blob/master/PowerSharpBinaries/Invoke-SharpDPAPI.ps1

Triage user's credentials, vaults, rdg and certificates:

Triage machine's credentials (machinecredentials), vaults (machinevaults) and certificates (certificates /machine):

Retrieve the domain DPAPI backup key (never changes) from a DC to decrypt master key and blobs for any user in the domain with it (needs DA privileges):

SharpChrome

• https://github.com/GhostPack/SharpDPAPI#sharpchrome-commands

SharpChromium

• https://github.com/djhohnstein/SharpChromium

Tools

• https://github.com/login-securite/DonPAPI

• https://github.com/zblurx/dploot

• https://github.com/leftp/DPAPISnoop