Overview
TheDpapiMasterKeys command enumerates Data Protection API (DPAPI) master keys on the system. DPAPI master keys are used to encrypt and decrypt sensitive user data including saved passwords, certificates, and other credential material. Understanding DPAPI key locations is crucial for credential access operations.
Important: User commands run for the current user if not elevated and for ALL users if elevated.
Syntax
Output
The command returns:- DPAPI master key file locations
- Master key GUIDs
- File paths for each user
- Key creation timestamps
- User context for each master key
- Preferred master key identification
Use Cases
Red Team
- Credential Decryption: Locate DPAPI master keys needed to decrypt saved credentials
- Data Access: Enable decryption of DPAPI-protected data (browser passwords, certificates)
- Post-Exploitation: Identify keys required for offline credential extraction
- Persistence: Understand encryption keys for maintaining access to encrypted data
- Privilege Escalation: Correlate master keys with high-value credential stores
Blue Team
- Forensic Analysis: Identify DPAPI keys during incident investigations
- Data Protection Audit: Verify DPAPI key security and protection
- Incident Response: Assess potential credential exposure based on key access
- Security Baseline: Document DPAPI key locations and permissions
- Risk Assessment: Evaluate exposure of encrypted credential stores
Example Output
Privilege Context
- Non-Elevated: Lists DPAPI master keys for the current user only
- Elevated: Lists DPAPI master keys for ALL users on the system, providing comprehensive key enumeration for potential credential decryption
Remote Execution
This command supports remote execution (marked with + in the command list). Remote syntax:Detection Considerations
Indicators
- File system enumeration in DPAPI master key directories
- Access to %APPDATA%\Microsoft\Protect directories
- Reading master key files
- Pattern-based searching for GUID-named files
- Enumeration across multiple user profiles
Defensive Monitoring
- Monitor access to DPAPI master key directories
- Alert on non-system processes reading master key files
- Track enumeration of Protect folders across user profiles
- Log unusual access patterns to DPAPI key locations
- Detect credential dumping tools accessing master keys
- Monitor for bulk master key enumeration
- Alert on master key file copying or exfiltration
Security Recommendations
- Protect DPAPI master key directories with strict ACLs
- Enable auditing on master key file access
- Monitor for offline credential extraction tools
- Implement EDR detection for DPAPI key access
- Use Windows Defender Credential Guard where applicable
- Regularly audit DPAPI key access logs
Related Commands
- WindowsCredentialFiles: Finds Windows credential DPAPI blobs
- WindowsVault: Enumerates credentials in Windows Vault (DPAPI-protected)
- CredEnum: Lists saved credentials that may be DPAPI-encrypted
- Certificates: Finds certificate files which may use DPAPI
- SecPackageCreds: Obtains credentials from security packages