WindowsCredentialFiles

Overview

The WindowsCredentialFiles command searches for Windows credential files protected by DPAPI (Data Protection API). These encrypted blob files contain saved credentials, certificates, and other sensitive data that can be decrypted with the appropriate DPAPI master keys. Important: User commands run for the current user if not elevated and for ALL users if elevated.

Syntax

Seatbelt.exe WindowsCredentialFiles

No additional arguments are supported.

Output

The command returns:

Credential file locations
File names and GUIDs
File sizes and timestamps
User context for each credential file
DPAPI blob indicators
Credential file counts per user

Use Cases

Red Team

Credential Access: Locate DPAPI-protected credential files for offline decryption
Data Harvesting: Identify credential stores for post-exploitation
Privilege Escalation: Target high-value credential files
Persistence: Understand credential storage for long-term access
DPAPI Attacks: Prepare for DPAPI master key extraction and blob decryption

Blue Team

Forensic Analysis: Identify credential files during investigations
Data Protection Audit: Verify DPAPI-protected credential security
Incident Response: Assess credential exposure during security events
Security Baseline: Document credential storage locations and permissions
Risk Assessment: Evaluate exposure from credential files

Example Output

====== WindowsCredentialFiles ======

User: john.doe

  Credential Files  : C:\Users\john.doe\AppData\Local\Microsoft\Credentials

  Credential File
    FileName          : 0A1B2C3D4E5F6A7B8C9D0E1F2A3B4C5D
    FilePath          : C:\Users\john.doe\AppData\Local\Microsoft\Credentials\0A1B2C3D4E5F6A7B8C9D0E1F2A3B4C5D
    Size              : 512 bytes
    Created           : 2024-09-15 10:30:00
    Modified          : 2024-10-18 14:22:15

  Credential File
    FileName          : 1B2C3D4E5F6A7B8C9D0E1F2A3B4C5D6E
    FilePath          : C:\Users\john.doe\AppData\Local\Microsoft\Credentials\1B2C3D4E5F6A7B8C9D0E1F2A3B4C5D6E
    Size              : 768 bytes
    Created           : 2024-10-01 08:15:30
    Modified          : 2024-10-20 09:45:00

Total Credential Files: 2

User: admin

  Credential Files  : C:\Users\admin\AppData\Local\Microsoft\Credentials

  Credential File
    FileName          : 2C3D4E5F6A7B8C9D0E1F2A3B4C5D6E7F
    FilePath          : C:\Users\admin\AppData\Local\Microsoft\Credentials\2C3D4E5F6A7B8C9D0E1F2A3B4C5D6E7F
    Size              : 1024 bytes
    Created           : 2024-08-20 12:00:00
    Modified          : 2024-10-19 11:30:22

Total Credential Files: 1

Privilege Context

Non-Elevated: Searches for Windows credential files for the current user only
Elevated: Searches for Windows credential files for ALL users on the system, providing comprehensive credential file discovery

Remote Execution

This command does not support remote execution (not marked with + in the command list).

Detection Considerations

Indicators

File system enumeration in Credentials directories
Access to %LOCALAPPDATA%\Microsoft\Credentials
Reading DPAPI blob files
Enumeration across multiple user profiles

Defensive Monitoring

Monitor access to Credentials directories by non-system processes
Alert on bulk enumeration of credential files
Track processes reading DPAPI blob files
Log unusual access patterns to credential storage
Detect credential dumping tools accessing DPAPI files
Monitor for credential file exfiltration attempts
Alert on copying or moving credential files

DPAPI Protection

Credential files are encrypted with DPAPI
Decryption requires user’s DPAPI master key
Master keys derived from user’s password
Can be decrypted with master key or user’s password
Elevation or SYSTEM access may enable decryption

What Credential Files May Contain

Saved network passwords
Application credentials
Certificate private keys
Generic Windows credentials
Domain credentials
Web credentials
RDP saved passwords

Security Recommendations

Protect DPAPI master key directories with strict ACLs
Enable file access auditing on Credentials folders
Monitor for offline credential extraction tools
Implement Windows Defender Credential Guard
Use EDR solutions that detect DPAPI attacks
Regularly audit credential file access
Educate users on secure credential management

DpapiMasterKeys: Lists DPAPI master keys needed for decryption
WindowsVault: Enumerates credentials in Windows Vault
CredEnum: Lists saved credentials using Windows API
Certificates: Finds certificate files which may use DPAPI
SecPackageCreds: Obtains credentials from security packages

Getting Started

System - OS & Environment

System - Security Configuration

System - Authentication & Access

System - Network

System - Monitoring & Enterprise

System - Advanced

User - Credentials

User - Browser Data

User - Cloud & Remote Access

User - Recent Activity

User - Communication

Misc - Event Logs

Misc - Browser History

Misc - File & Registry

Misc - System Details

Overview

Syntax

Output

Use Cases

Red Team

Blue Team

Example Output

Privilege Context

Remote Execution

Detection Considerations

Indicators

Defensive Monitoring

DPAPI Protection

What Credential Files May Contain

Security Recommendations

Getting Started

System - OS & Environment

System - Security Configuration

System - Authentication & Access

System - Network

System - Monitoring & Enterprise

System - Advanced

User - Credentials

User - Browser Data

User - Cloud & Remote Access

User - Recent Activity

User - Communication

Misc - Event Logs

Misc - Browser History

Misc - File & Registry

Misc - System Details

​Overview

​Syntax

​Output

​Use Cases

​Red Team

​Blue Team

​Example Output

​Privilege Context

​Remote Execution

​Detection Considerations

​Indicators

​Defensive Monitoring

​DPAPI Protection

​What Credential Files May Contain

​Security Recommendations

​Related Commands

Overview

Syntax

Output

Use Cases

Red Team

Blue Team

Example Output

Privilege Context

Remote Execution

Detection Considerations

Indicators

Defensive Monitoring

DPAPI Protection

What Credential Files May Contain

Security Recommendations

Related Commands