Skip to content

H3-2023-0019

Credential Dumping - Data Protection API (DPAPI) Secrets

Category SECURITY_CONTROLS
Base Score 7.2

Description

Windows stores and encrypts many credentials for applications on the system with the DPAPI encryption keys. Examples of such secrets are credentials stored in browsers, passwords for scheduled tasks, Remote Desktop, and service account passwords. Attackers with administrative privileges can extract the DPAPI keys and then decrypt the secrets stored across the system to extract the cleartext passwords.

Impact

Attackers who obtain cleartext credentials or NTLM hashes can directly login with those credentials. The credentials retrieved allow an attacker to move laterally across the environment.

References