Credential Access · Term

What is DPAPI?

DPAPI is the Windows system that encrypts secrets like browser passwords and saved credentials. Attackers abuse it to decrypt exactly those secrets once they have the user or their master key. Here is how.

Credential Access · TermAll services
TL;DR

DPAPI (Data Protection API) is the built-in Windows service that encrypts and decrypts user secrets, browser passwords, saved credentials, Wi-Fi keys, and more, tied to the user’s login. The encryption uses a per-user master key derived from the user’s password. An attacker running as the user, or who steals the master key (and on a domain, the DPAPI backup key from a DC), can decrypt all of that user’s protected secrets. It is abused to turn account access into a pile of cleartext credentials.

By John Dill, Red Team Lead, SecureLayer7Updated

What DPAPI is

Applications need to store secrets (a saved password, a token) and want them encrypted without managing keys themselves. DPAPI provides that: an app hands DPAPI a secret and gets back ciphertext, and only the same user context can decrypt it.

The keys come from the user’s password via a master key. That convenience is the weakness: anyone who can act as the user, or obtain the master key, can decrypt everything DPAPI protected for that user.

The abuse and payload

Once an attacker has a user’s context or master key, DPAPI hands over their secrets:

  • Decrypt the user’s secrets in their session with a DPAPI tool (browser logins, Credential Manager, vaults).
  • Steal and decrypt the master key offline with the user’s password or hash.
  • On a domain, abuse the DPAPI domain backup key from a Domain Controller to decrypt any user’s DPAPI secrets, a powerful, quiet harvest.

Documented techniques shown for defenders.

How to defend

  • Protect the DPAPI domain backup key: it is a Domain-Controller secret that unlocks every user’s DPAPI data; guard the DC accordingly.
  • Limit local admin and enable [Credential Guard](/learn/active-directory/what-is-credential-guard) to make stealing keys and the user context harder.
  • Avoid storing sensitive secrets in browser/credential stores on high-value hosts.
  • Detect access to DPAPI master-key files and abnormal credential-store reads.
  • Strong user passwords, since the master key is derived from them.

References

  1. [1]MITRE ATT&CK: Credentials from Password Stores (T1555)(MITRE)
  2. [2]Microsoft: Data Protection API(Microsoft)
  3. [3]MITRE ATT&CK: Credential Access (TA0006)(MITRE)
Related terms

Common questions

Credential access, asked often

Want your environment tested for exposed credentials?

Scope an engagement

Find the exposed credentials before an attacker does.

Our internal and network penetration tests hunt the credentials an intruder would, in memory, registry hives, config files, and on the wire, then show your team exactly where each one was exposed and how to close it. Free re-test included.

See all services30-min scoping call, fixed-price proposal in 48 hours.