DPAPI Secrets¶
-
Decrypt Masterkeys using DPAPI_SYSTEM
- These masterkeys decrypt machine-scope DPAPI secrets (not user-scope).
- Location:
C:\Windows\System32\Microsoft\Protect\S-1-5-18\*
-
Decrypt Private Keys
- Impersonate the machine/services; decrypt cert-backed secrets.
- RSA:
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\*- Present on all Windows; typically populated.
-
CNG:
C:\ProgramData\Microsoft\Crypto\Keys\*- Only present/populated if CNG/KSP keys exist.
-
Secrets to Decrypt with DPAPI Masterkeys
| Location / Artifact | Likelihood | What you’ll decrypt | Why it’s useful |
|---|---|---|---|
C:\Windows\System32\inetsrv\config\applicationHost.config (IIS) |
High on IIS servers; Low elsewhere | Encrypted app-pool identities, virtual directory creds, provider settings | Cleartext service passwords → WinRM/SMB logons; lateral movement with service accounts |
C:\inetpub\wwwroot\**\web.config and app dirs’ web.config |
High on IIS/.NET apps; Medium on web servers | Encrypted <connectionStrings>/<appSettings> sections |
DB creds, API keys, third-party creds → DB pivot, data access |
Machine cert private keys (via MMC store; files under MachineKeys/Keys) |
Medium–High on domain servers (LDAPS/RDP/IIS certs common) | Exportable .pfx (once DPAPI removed) | Server impersonation in lab, TLS interception in controlled tests, client-cert auth if used |
LocalSystem/Service Credential Manager blobs:C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Credentials\*C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Credentials\*...\NetworkService\...\Credentials\* |
Medium | Saved machine-scope credentials (proxies, service endpoints, app secrets) | Reuse creds to reach upstream services (web APIs, proxies, management endpoints) |
If a path isn’t present, skip it. IIS configs and machine cert keys are the most common wins on servers; Credential Manager blobs are hit-or-miss but worth checking.