#dpapi — Public Fediverse posts
Live and recent posts from across the Fediverse tagged #dpapi, aggregated by home.social.
-
----------------
🔧 Tool: VMkatz
VMkatz is a compact forensic/offensive utility designed to extract Windows secrets directly from virtual machine artifacts without full-disk exfiltration. It targets memory snapshots and offline virtual disks to recover credential material typically harvested by in-guest tools such as mimikatz, but operates against VM files stored on NAS, hypervisors, or virtualization hosts.
What it extracts (concise)
• From memory snapshots (LSASS equivalents): NT/LM hashes (MSV1_0), plaintext where available (WDigest, TsPkg, SSP, LiveSSP), Kerberos keys and tickets (AES/RC4/DES), DPAPI master key cache entries, Credman entries and CloudAP tokens when present.
• From virtual disks (offline): SAM hashes, LSA secrets, cached domain credentials (DCC2), and native NTDS.dit extraction from ESE databases on domain controller disks.Supported inputs and environment
• Common snapshot/disk formats: VMware snapshots (.vmsn + .vmem), VMware virtual disks (.vmdk sparse/flat), VirtualBox saved states (.sav). Additional parsers listed include Hyper‑V and QEMU core dump variants (some untested).
• The project is distributed as a single static binary (~2.5 MB) intended to be run on hosts that can access VM files (NAS, ESXi, Proxmox nodes), enabling credential recovery without transferring multi‑gigabyte images offsite.Technical notes and scope
• Memory parsing implements provider-specific walks (AVL trees, linked lists, hash tables) and falls back to physical-scan strategies for paged entries where applicable.
• NTDS.dit extraction reads the ESE database natively for AD hash recovery; no reliance on external tooling is required for that functionality.
• Several input formats remain marked as untested; results may vary by hypervisor version and snapshot composition.Limitations and operational considerations
• Effectiveness depends on the snapshot content and whether the relevant credential pages are present in the captured artifacts.
• Some providers (e.g., CloudAP, LiveSSP) may be empty or absent on many systems.🔹 VMkatz #ntds.dit #dpapi #vmdk #forensics
🔗 Source: https://github.com/nikaiw/VMkatz
-
Researchers have revealed a DPAPI-based Teams token theft method allowing attackers to decrypt locally stored authentication cookies and impersonate enterprise users.
⚙️ Technical context:
- Target: msedgewebview2.exe process spawned by Teams.
- Stores AES-256-GCM encrypted cookies in a SQLite database.
- Decryption possible by extracting os_crypt.encrypted_key from Local State and unprotecting via DPAPI.
- Enables attackers to read Teams/SharePoint data and send messages as victims.💬 SOC/DFIR pros - what’s the best detection vector here? File I/O from WebView2? Suspicious DPAPI calls?
👍 Drop your hunting ideas below, like this post & follow @technadu for continuous threat research coverage.
#MicrosoftTeams #DPAPI #Forensics #DFIR #ThreatIntel #WindowsSecurity #InfoSec #AccessTokens #EDR #SOC #CyberDefense #TechNadu -
Researchers have revealed a DPAPI-based Teams token theft method allowing attackers to decrypt locally stored authentication cookies and impersonate enterprise users.
⚙️ Technical context:
- Target: msedgewebview2.exe process spawned by Teams.
- Stores AES-256-GCM encrypted cookies in a SQLite database.
- Decryption possible by extracting os_crypt.encrypted_key from Local State and unprotecting via DPAPI.
- Enables attackers to read Teams/SharePoint data and send messages as victims.💬 SOC/DFIR pros - what’s the best detection vector here? File I/O from WebView2? Suspicious DPAPI calls?
👍 Drop your hunting ideas below, like this post & follow @technadu for continuous threat research coverage.
#MicrosoftTeams #DPAPI #Forensics #DFIR #ThreatIntel #WindowsSecurity #InfoSec #AccessTokens #EDR #SOC #CyberDefense #TechNadu -
Researchers have revealed a DPAPI-based Teams token theft method allowing attackers to decrypt locally stored authentication cookies and impersonate enterprise users.
⚙️ Technical context:
- Target: msedgewebview2.exe process spawned by Teams.
- Stores AES-256-GCM encrypted cookies in a SQLite database.
- Decryption possible by extracting os_crypt.encrypted_key from Local State and unprotecting via DPAPI.
- Enables attackers to read Teams/SharePoint data and send messages as victims.💬 SOC/DFIR pros - what’s the best detection vector here? File I/O from WebView2? Suspicious DPAPI calls?
👍 Drop your hunting ideas below, like this post & follow @technadu for continuous threat research coverage.
#MicrosoftTeams #DPAPI #Forensics #DFIR #ThreatIntel #WindowsSecurity #InfoSec #AccessTokens #EDR #SOC #CyberDefense #TechNadu -
Phew! 🥳 This little #powershell gem saved my ass today when I tried to migrate a #Signal Desktop install to another Windows PC.
(Not a thing officially supported by @signalapp)The database encryption key itself is device-specifically encrypted using the „Data Protection API“ (haha) #DPAPI, so signal can't decrypt it on the new machine.
Using a legacy parameter, you can put the unencrypted key on the old machine, transfer it to the new one and have it re-encrypted.
-
Phew! 🥳 This little #powershell gem saved my ass today when I tried to migrate a #Signal Desktop install to another Windows PC.
(Not a thing officially supported by @signalapp)The database encryption key itself is device-specifically encrypted using the „Data Protection API“ (haha) #DPAPI, so signal can't decrypt it on the new machine.
Using a legacy parameter, you can put the unencrypted key on the old machine, transfer it to the new one and have it re-encrypted.
-
Phew! 🥳 This little #powershell gem saved my ass today when I tried to migrate a #Signal Desktop install to another Windows PC.
(Not a thing officially supported by @signalapp)The database encryption key itself is device-specifically encrypted using the „Data Protection API“ (haha) #DPAPI, so signal can't decrypt it on the new machine.
Using a legacy parameter, you can put the unencrypted key on the old machine, transfer it to the new one and have it re-encrypted.
-
Phew! 🥳 This little #powershell gem saved my ass today when I tried to migrate a #Signal Desktop install to another Windows PC.
(Not a thing officially supported by @signalapp)The database encryption key itself is device-specifically encrypted using the „Data Protection API“ (haha) #DPAPI, so signal can't decrypt it on the new machine.
Using a legacy parameter, you can put the unencrypted key on the old machine, transfer it to the new one and have it re-encrypted.
-
Phew! 🥳 This little #powershell gem saved my ass today when I tried to migrate a #Signal Desktop install to another Windows PC.
(Not a thing officially supported by @signalapp)The database encryption key itself is device-specifically encrypted using the „Data Protection API“ (haha) #DPAPI, so signal can't decrypt it on the new machine.
Using a legacy parameter, you can put the unencrypted key on the old machine, transfer it to the new one and have it re-encrypted.
-
Browser Stored Credentials: https://ipurple.team/2024/09/10/browser-stored-credentials/
-
Browser Stored Credentials: https://ipurple.team/2024/09/10/browser-stored-credentials/
-
Browser Stored Credentials: https://ipurple.team/2024/09/10/browser-stored-credentials/
-
Did you know there’s a backup key stored on your domain controllers that can decrypt DPAPI-stored secrets for all domain users? 🚨 And unfortunately, there's no way to rotate this key!
Watch CQURE’s Paula Januszkiewicz as she demonstrates how this key can be retrieved and utilized.
-
Did you know there’s a backup key stored on your domain controllers that can decrypt DPAPI-stored secrets for all domain users? 🚨 And unfortunately, there's no way to rotate this key!
Watch CQURE’s Paula Januszkiewicz as she demonstrates how this key can be retrieved and utilized.
-
Did you know there’s a backup key stored on your domain controllers that can decrypt DPAPI-stored secrets for all domain users? 🚨 And unfortunately, there's no way to rotate this key!
Watch CQURE’s Paula Januszkiewicz as she demonstrates how this key can be retrieved and utilized.
-
Did you know there’s a backup key stored on your domain controllers that can decrypt DPAPI-stored secrets for all domain users? 🚨 And unfortunately, there's no way to rotate this key!
Watch CQURE’s Paula Januszkiewicz as she demonstrates how this key can be retrieved and utilized.
-
Did you know there’s a backup key stored on your domain controllers that can decrypt DPAPI-stored secrets for all domain users? 🚨 And unfortunately, there's no way to rotate this key!
Watch CQURE’s Paula Januszkiewicz as she demonstrates how this key can be retrieved and utilized.
-
[Перевод] Pivot to the Clouds: Кража cookie в 2024 году
Недавно Google опубликовала блог об обнаружении кражи данных из браузера с помощью журналов событий Windows . В этом посте есть несколько полезных советов для защитников о том, как обнаружить неправомерное использование вызовов DPAPI, пытающихся захватить конфиденциальные данные браузера. Изучить
-
[Перевод] Pivot to the Clouds: Кража cookie в 2024 году
Недавно Google опубликовала блог об обнаружении кражи данных из браузера с помощью журналов событий Windows . В этом посте есть несколько полезных советов для защитников о том, как обнаружить неправомерное использование вызовов DPAPI, пытающихся захватить конфиденциальные данные браузера. Изучить
-
[Перевод] Pivot to the Clouds: Кража cookie в 2024 году
Недавно Google опубликовала блог об обнаружении кражи данных из браузера с помощью журналов событий Windows . В этом посте есть несколько полезных советов для защитников о том, как обнаружить неправомерное использование вызовов DPAPI, пытающихся захватить конфиденциальные данные браузера. Изучить
-
Wow, this is a great write-up of a classic pentest that ended-up in focusing on @bitwarden and how to unlock the vault with no password when biometrics/#WindowsHello are enabled! Very useful details for anyone looking into using #DPAPI the correct way! (which is currently my case 🤩)
-
Wow, this is a great write-up of a classic pentest that ended-up in focusing on @bitwarden and how to unlock the vault with no password when biometrics/#WindowsHello are enabled! Very useful details for anyone looking into using #DPAPI the correct way! (which is currently my case 🤩)
-
Wow, this is a great write-up of a classic pentest that ended-up in focusing on @bitwarden and how to unlock the vault with no password when biometrics/#WindowsHello are enabled! Very useful details for anyone looking into using #DPAPI the correct way! (which is currently my case 🤩)
-
Wow, this is a great write-up of a classic pentest that ended-up in focusing on @bitwarden and how to unlock the vault with no password when biometrics/#WindowsHello are enabled! Very useful details for anyone looking into using #DPAPI the correct way! (which is currently my case 🤩)
-
Wow, this is a great write-up of a classic pentest that ended-up in focusing on @bitwarden and how to unlock the vault with no password when biometrics/#WindowsHello are enabled! Very useful details for anyone looking into using #DPAPI the correct way! (which is currently my case 🤩)
-
CrackMapExec now includes DPAPI cred dumping as a core feature thanks to the dploot library by Thomas Seigneuret from the Orange Cyberdefense French team.
Picture from @mpgn’s bird account.
-
CrackMapExec now includes DPAPI cred dumping as a core feature thanks to the dploot library by Thomas Seigneuret from the Orange Cyberdefense French team.
Picture from @mpgn’s bird account.
-
CrackMapExec now includes DPAPI cred dumping as a core feature thanks to the dploot library by Thomas Seigneuret from the Orange Cyberdefense French team.
Picture from @mpgn’s bird account.
-
CrackMapExec now includes DPAPI cred dumping as a core feature thanks to the dploot library by Thomas Seigneuret from the Orange Cyberdefense French team.
Picture from @mpgn’s bird account.
-
CrackMapExec now includes DPAPI cred dumping as a core feature thanks to the dploot library by Thomas Seigneuret from the Orange Cyberdefense French team.
Picture from @mpgn’s bird account.