You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Some applications pass an additional **entropy** value to `CryptProtectData`. Without this value the blob cannot be decrypted, even if the correct masterkey is known. Obtaining the entropy is therefore essential when targeting credentials protected in this way (e.g. Microsoft Outlook, some VPN clients).
269
+
270
+
[**EntropyCapture**](https://github.com/SpecterOps/EntropyCapture) (2022) is a user-mode DLL that hooks the DPAPI functions inside the target process and transparently records any optional entropy that is supplied. Running EntropyCapture in **DLL-injection** mode against processes like `outlook.exe` or `vpnclient.exe` will output a file mapping each entropy buffer to the calling process and blob. The captured entropy can later be supplied to **SharpDPAPI** (`/entropy:`) or **Mimikatz** (`/entropy:<file>`) in order to decrypt the data. citeturn5search0
271
+
272
+
```powershell
273
+
# Inject EntropyCapture into the current user's Outlook
Microsoft introduced a **context 3** masterkey format starting with Windows 10 v1607 (2016). `hashcat` v6.2.6 (December 2023) added hash-modes **22100** (DPAPI masterkey v1 context ), **22101** (context 1) and **22102** (context 3) allowing GPU-accelerated cracking of user passwords directly from the masterkey file. Attackers can therefore perform word-list or brute-force attacks without interacting with the target system. citeturn8search1
284
+
285
+
`DPAPISnoop` (2024) automates the process:
286
+
287
+
```bash
288
+
# Parse a whole Protect folder, generate hashcat format and crack
The tool can also parse Credential and Vault blobs, decrypt them with cracked keys and export cleartext passwords.
294
+
265
295
266
296
### Access other machine data
267
297
@@ -276,30 +306,50 @@ SharpChrome cookies /server:HOST /pvk:BASE64
276
306
277
307
### HEKATOMB
278
308
279
-
[**HEKATOMB**](https://github.com/Processus-Thief/HEKATOMB) is a tool that automates the extraction of all users and computers from the LDAP directory and the extraction of domain controller backup key through RPC. The script will then resolve all computers ip address and perform a smbclient on all computers to retrieve all DPAPI blobs of all users and decrypt everything with domain backup key.
309
+
[**HEKATOMB**](https://github.com/Processus-Thief/HEKATOMB) is a tool that automates the extraction of all users and computers from the LDAP directory and the extraction of domain controller backup key through RPC. The script will then resolve all computers IP address and perform a smbclient on all computers to retrieve all DPAPI blobs of all users and decrypt everything with domain backup key.
With extracted from LDAP computers list you can find every sub network even if you didn't know them !
284
314
285
-
### DonPAPI
315
+
### DonPAPI 2.x (2024-05)
316
+
317
+
[**DonPAPI**](https://github.com/login-securite/DonPAPI) can dump secrets protected by DPAPI automatically. The 2.x release introduced:
318
+
319
+
* Parallel collection of blobs from hundreds of hosts
320
+
* Parsing of **context 3** masterkeys and automatic Hashcat cracking integration
321
+
* Support for Chrome "App-Bound" encrypted cookies (see next section)
322
+
* A new **`--snapshot`** mode to repeatedly poll endpoints and diff newly-created blobs citeturn1search2
323
+
324
+
### DPAPISnoop
286
325
287
-
[**DonPAPI**](https://github.com/login-securite/DonPAPI)can dump secrets protected by DPAPI automatically.
326
+
[**DPAPISnoop**](https://github.com/Leftp/DPAPISnoop) is a C# parser for masterkey/credential/vault files that can output Hashcat/JtR formats and optionally invoke cracking automatically. It fully supports machine and user masterkey formats up to Windows 11 24H1. citeturn2search0
288
327
289
-
### Common detections
328
+
329
+
## Common detections
290
330
291
331
- Access to files in `C:\Users\*\AppData\Roaming\Microsoft\Protect\*`, `C:\Users\*\AppData\Roaming\Microsoft\Credentials\*` and other DPAPI-related directories.
292
-
-Specially from a network share like C$ or ADMIN$.
293
-
- Use of Mimikatzto access LSASS memory.
294
-
- Event **4662**: An operation was performed on an object.
295
-
- This event can be checked to see if the `BCKUPKEY` object was accessed.
332
+
-Especially from a network share like **C$** or **ADMIN$**.
333
+
- Use of **Mimikatz**, **SharpDPAPI** or similar tooling to access LSASS memory or dump masterkeys.
334
+
- Event **4662**: *An operation was performed on an object* – can be correlated with access to the **`BCKUPKEY`** object.
335
+
- Event **4673/4674** when a process requests *SeTrustedCredManAccessPrivilege* (Credential Manager)
***CVE-2023-36004 – Windows DPAPI Secure Channel Spoofing** (November 2023). An attacker with network access could trick a domain member into retrieving a malicious DPAPI backup key, allowing decryption of user masterkeys. Patched in November 2023 cumulative update – administrators should ensure DCs and workstations are fully patched. citeturn4search0
341
+
***Chrome 127 “App-Bound” cookie encryption** (July 2024) replaced the legacy DPAPI-only protection with an additional key stored under the user’s **Credential Manager**. Offline decryption of cookies now requires both the DPAPI masterkey and the **GCM-wrapped app-bound key**. SharpChrome v2.3 and DonPAPI 2.x are able to recover the extra key when running with user context. citeturn0search0
0 commit comments