home.social

#dpapi — Public Fediverse posts

Live and recent posts from across the Fediverse tagged #dpapi, aggregated by home.social.

  1. ----------------

    🔧 Tool: VMkatz

    VMkatz is a compact forensic/offensive utility designed to extract Windows secrets directly from virtual machine artifacts without full-disk exfiltration. It targets memory snapshots and offline virtual disks to recover credential material typically harvested by in-guest tools such as mimikatz, but operates against VM files stored on NAS, hypervisors, or virtualization hosts.

    What it extracts (concise)
    • From memory snapshots (LSASS equivalents): NT/LM hashes (MSV1_0), plaintext where available (WDigest, TsPkg, SSP, LiveSSP), Kerberos keys and tickets (AES/RC4/DES), DPAPI master key cache entries, Credman entries and CloudAP tokens when present.
    • From virtual disks (offline): SAM hashes, LSA secrets, cached domain credentials (DCC2), and native NTDS.dit extraction from ESE databases on domain controller disks.

    Supported inputs and environment
    • Common snapshot/disk formats: VMware snapshots (.vmsn + .vmem), VMware virtual disks (.vmdk sparse/flat), VirtualBox saved states (.sav). Additional parsers listed include Hyper‑V and QEMU core dump variants (some untested).
    • The project is distributed as a single static binary (~2.5 MB) intended to be run on hosts that can access VM files (NAS, ESXi, Proxmox nodes), enabling credential recovery without transferring multi‑gigabyte images offsite.

    Technical notes and scope
    • Memory parsing implements provider-specific walks (AVL trees, linked lists, hash tables) and falls back to physical-scan strategies for paged entries where applicable.
    • NTDS.dit extraction reads the ESE database natively for AD hash recovery; no reliance on external tooling is required for that functionality.
    • Several input formats remain marked as untested; results may vary by hypervisor version and snapshot composition.

    Limitations and operational considerations
    • Effectiveness depends on the snapshot content and whether the relevant credential pages are present in the captured artifacts.
    • Some providers (e.g., CloudAP, LiveSSP) may be empty or absent on many systems.

    🔹 VMkatz #ntds.dit #dpapi #vmdk #forensics

    🔗 Source: github.com/nikaiw/VMkatz

  2. Researchers have revealed a DPAPI-based Teams token theft method allowing attackers to decrypt locally stored authentication cookies and impersonate enterprise users.

    ⚙️ Technical context:
    - Target: msedgewebview2.exe process spawned by Teams.
    - Stores AES-256-GCM encrypted cookies in a SQLite database.
    - Decryption possible by extracting os_crypt.encrypted_key from Local State and unprotecting via DPAPI.
    - Enables attackers to read Teams/SharePoint data and send messages as victims.

    💬 SOC/DFIR pros - what’s the best detection vector here? File I/O from WebView2? Suspicious DPAPI calls?

    👍 Drop your hunting ideas below, like this post & follow @technadu for continuous threat research coverage.
    #MicrosoftTeams #DPAPI #Forensics #DFIR #ThreatIntel #WindowsSecurity #InfoSec #AccessTokens #EDR #SOC #CyberDefense #TechNadu

  3. Researchers have revealed a DPAPI-based Teams token theft method allowing attackers to decrypt locally stored authentication cookies and impersonate enterprise users.

    ⚙️ Technical context:
    - Target: msedgewebview2.exe process spawned by Teams.
    - Stores AES-256-GCM encrypted cookies in a SQLite database.
    - Decryption possible by extracting os_crypt.encrypted_key from Local State and unprotecting via DPAPI.
    - Enables attackers to read Teams/SharePoint data and send messages as victims.

    💬 SOC/DFIR pros - what’s the best detection vector here? File I/O from WebView2? Suspicious DPAPI calls?

    👍 Drop your hunting ideas below, like this post & follow @technadu for continuous threat research coverage.
    #MicrosoftTeams #DPAPI #Forensics #DFIR #ThreatIntel #WindowsSecurity #InfoSec #AccessTokens #EDR #SOC #CyberDefense #TechNadu

  4. Researchers have revealed a DPAPI-based Teams token theft method allowing attackers to decrypt locally stored authentication cookies and impersonate enterprise users.

    ⚙️ Technical context:
    - Target: msedgewebview2.exe process spawned by Teams.
    - Stores AES-256-GCM encrypted cookies in a SQLite database.
    - Decryption possible by extracting os_crypt.encrypted_key from Local State and unprotecting via DPAPI.
    - Enables attackers to read Teams/SharePoint data and send messages as victims.

    💬 SOC/DFIR pros - what’s the best detection vector here? File I/O from WebView2? Suspicious DPAPI calls?

    👍 Drop your hunting ideas below, like this post & follow @technadu for continuous threat research coverage.
    #MicrosoftTeams #DPAPI #Forensics #DFIR #ThreatIntel #WindowsSecurity #InfoSec #AccessTokens #EDR #SOC #CyberDefense #TechNadu

  5. Phew! 🥳 This little #powershell gem saved my ass today when I tried to migrate a #Signal Desktop install to another Windows PC.
    (Not a thing officially supported by @signalapp)

    The database encryption key itself is device-specifically encrypted using the „Data Protection API“ (haha) #DPAPI, so signal can't decrypt it on the new machine.

    Using a legacy parameter, you can put the unencrypted key on the old machine, transfer it to the new one and have it re-encrypted.

    github.com/MatejKafka/PSSignal

  6. Phew! 🥳 This little #powershell gem saved my ass today when I tried to migrate a #Signal Desktop install to another Windows PC.
    (Not a thing officially supported by @signalapp)

    The database encryption key itself is device-specifically encrypted using the „Data Protection API“ (haha) #DPAPI, so signal can't decrypt it on the new machine.

    Using a legacy parameter, you can put the unencrypted key on the old machine, transfer it to the new one and have it re-encrypted.

    github.com/MatejKafka/PSSignal

  7. Phew! 🥳 This little #powershell gem saved my ass today when I tried to migrate a #Signal Desktop install to another Windows PC.
    (Not a thing officially supported by @signalapp)

    The database encryption key itself is device-specifically encrypted using the „Data Protection API“ (haha) #DPAPI, so signal can't decrypt it on the new machine.

    Using a legacy parameter, you can put the unencrypted key on the old machine, transfer it to the new one and have it re-encrypted.

    github.com/MatejKafka/PSSignal

  8. Phew! 🥳 This little #powershell gem saved my ass today when I tried to migrate a #Signal Desktop install to another Windows PC.
    (Not a thing officially supported by @signalapp)

    The database encryption key itself is device-specifically encrypted using the „Data Protection API“ (haha) #DPAPI, so signal can't decrypt it on the new machine.

    Using a legacy parameter, you can put the unencrypted key on the old machine, transfer it to the new one and have it re-encrypted.

    github.com/MatejKafka/PSSignal

  9. Phew! 🥳 This little #powershell gem saved my ass today when I tried to migrate a #Signal Desktop install to another Windows PC.
    (Not a thing officially supported by @signalapp)

    The database encryption key itself is device-specifically encrypted using the „Data Protection API“ (haha) #DPAPI, so signal can't decrypt it on the new machine.

    Using a legacy parameter, you can put the unencrypted key on the old machine, transfer it to the new one and have it re-encrypted.

    github.com/MatejKafka/PSSignal

  10. Did you know there’s a backup key stored on your domain controllers that can decrypt DPAPI-stored secrets for all domain users? 🚨 And unfortunately, there's no way to rotate this key!

    Watch CQURE’s Paula Januszkiewicz as she demonstrates how this key can be retrieved and utilized.

    📺 youtu.be/UPoAhKbJaCI

    #CyberSecurity #Windows #DPAPI #ActiveDirectory #RSAC

  11. Did you know there’s a backup key stored on your domain controllers that can decrypt DPAPI-stored secrets for all domain users? 🚨 And unfortunately, there's no way to rotate this key!

    Watch CQURE’s Paula Januszkiewicz as she demonstrates how this key can be retrieved and utilized.

    📺 youtu.be/UPoAhKbJaCI

    #CyberSecurity #Windows #DPAPI #ActiveDirectory #RSAC

  12. Did you know there’s a backup key stored on your domain controllers that can decrypt DPAPI-stored secrets for all domain users? 🚨 And unfortunately, there's no way to rotate this key!

    Watch CQURE’s Paula Januszkiewicz as she demonstrates how this key can be retrieved and utilized.

    📺 youtu.be/UPoAhKbJaCI

    #CyberSecurity #Windows #DPAPI #ActiveDirectory #RSAC

  13. Did you know there’s a backup key stored on your domain controllers that can decrypt DPAPI-stored secrets for all domain users? 🚨 And unfortunately, there's no way to rotate this key!

    Watch CQURE’s Paula Januszkiewicz as she demonstrates how this key can be retrieved and utilized.

    📺 youtu.be/UPoAhKbJaCI

    #CyberSecurity #Windows #DPAPI #ActiveDirectory #RSAC

  14. Did you know there’s a backup key stored on your domain controllers that can decrypt DPAPI-stored secrets for all domain users? 🚨 And unfortunately, there's no way to rotate this key!

    Watch CQURE’s Paula Januszkiewicz as she demonstrates how this key can be retrieved and utilized.

    📺 youtu.be/UPoAhKbJaCI

    #CyberSecurity #Windows #DPAPI #ActiveDirectory #RSAC

  15. [Перевод] Pivot to the Clouds: Кража cookie в 2024 году

    Недавно Google опубликовала блог об обнаружении кражи данных из браузера с помощью журналов событий Windows . В этом посте есть несколько полезных советов для защитников о том, как обнаружить неправомерное использование вызовов DPAPI, пытающихся захватить конфиденциальные данные браузера. Изучить

    habr.com/ru/articles/815333/

    #powershell #cookie #dpapi #edr #redteam

  16. [Перевод] Pivot to the Clouds: Кража cookie в 2024 году

    Недавно Google опубликовала блог об обнаружении кражи данных из браузера с помощью журналов событий Windows . В этом посте есть несколько полезных советов для защитников о том, как обнаружить неправомерное использование вызовов DPAPI, пытающихся захватить конфиденциальные данные браузера. Изучить

    habr.com/ru/articles/815333/

    #powershell #cookie #dpapi #edr #redteam

  17. [Перевод] Pivot to the Clouds: Кража cookie в 2024 году

    Недавно Google опубликовала блог об обнаружении кражи данных из браузера с помощью журналов событий Windows . В этом посте есть несколько полезных советов для защитников о том, как обнаружить неправомерное использование вызовов DPAPI, пытающихся захватить конфиденциальные данные браузера. Изучить

    habr.com/ru/articles/815333/

    #powershell #cookie #dpapi #edr #redteam

  18. Wow, this is a great write-up of a classic pentest that ended-up in focusing on @bitwarden and how to unlock the vault with no password when biometrics/#WindowsHello are enabled! Very useful details for anyone looking into using #DPAPI the correct way! (which is currently my case 🤩)

    blog.redteam-pentesting.de/202

  19. Wow, this is a great write-up of a classic pentest that ended-up in focusing on @bitwarden and how to unlock the vault with no password when biometrics/#WindowsHello are enabled! Very useful details for anyone looking into using #DPAPI the correct way! (which is currently my case 🤩)

    blog.redteam-pentesting.de/202

  20. Wow, this is a great write-up of a classic pentest that ended-up in focusing on @bitwarden and how to unlock the vault with no password when biometrics/#WindowsHello are enabled! Very useful details for anyone looking into using #DPAPI the correct way! (which is currently my case 🤩)

    blog.redteam-pentesting.de/202

  21. Wow, this is a great write-up of a classic pentest that ended-up in focusing on @bitwarden and how to unlock the vault with no password when biometrics/#WindowsHello are enabled! Very useful details for anyone looking into using #DPAPI the correct way! (which is currently my case 🤩)

    blog.redteam-pentesting.de/202

  22. Wow, this is a great write-up of a classic pentest that ended-up in focusing on @bitwarden and how to unlock the vault with no password when biometrics/#WindowsHello are enabled! Very useful details for anyone looking into using #DPAPI the correct way! (which is currently my case 🤩)

    blog.redteam-pentesting.de/202

  23. CrackMapExec now includes DPAPI cred dumping as a core feature thanks to the dploot library by Thomas Seigneuret from the Orange Cyberdefense French team.

    Picture from @mpgn’s bird account.

    #CrackMapExec #DPAPI

  24. CrackMapExec now includes DPAPI cred dumping as a core feature thanks to the dploot library by Thomas Seigneuret from the Orange Cyberdefense French team.

    Picture from @mpgn’s bird account.

    #CrackMapExec #DPAPI

  25. CrackMapExec now includes DPAPI cred dumping as a core feature thanks to the dploot library by Thomas Seigneuret from the Orange Cyberdefense French team.

    Picture from @mpgn’s bird account.

    #CrackMapExec #DPAPI

  26. CrackMapExec now includes DPAPI cred dumping as a core feature thanks to the dploot library by Thomas Seigneuret from the Orange Cyberdefense French team.

    Picture from @mpgn’s bird account.

    #CrackMapExec #DPAPI

  27. CrackMapExec now includes DPAPI cred dumping as a core feature thanks to the dploot library by Thomas Seigneuret from the Orange Cyberdefense French team.

    Picture from @mpgn’s bird account.

    #CrackMapExec #DPAPI