search

Credential Manager

hashtag
Enumerate vaults

circle-info

Methods below sometimes don't show all present credential files, check manually

dir C:\\users\\USERNAME\\AppData\\local\\Microsoft\\Credentials
vaultcmd /list

Vault: Windows Credentials
vaultcmd /listcreds:"Windows Credentials" /all

Identity: SQL-2\Administrator

Based on this, we now know that the user has saved credentials for the local administrator account on SQL-2.

hashtag
Retrieve encrypted credentials

ls C:\Users\bfarmer\AppData\Local\Microsoft\Credentials

468b     fil     09/06/2022 10:34:22   6C33AC85D0C4DCEAB186B3B2E5B1AC7C
10kb     fil     08/30/2022 08:42:59   DFBE70A7E5CC19A398EBF1B96859CE5D

Master keys are stored here:

ls C:\Users\bfarmer\AppData\Roaming\Microsoft\Protect\
ls C:\Users\bfarmer\AppData\Roaming\Microsoft\Protect\S-1-5-21-569305411-121244042-2357301523-1104

hashtag
Grab Master Key (using LSASS)

(local admin required + user recently accessed the cred)

hashtag
Grab Master Key (using AD)

(no local admin required)

This will only work if executed in the context of the user who owns the key. If SYSTEM/other user, must impersonate the target user first, then execute the command using the @ modifier.

hashtag
Decrypt blob

Last updated