BIPI
BIPI

DPAPI Secrets Looting: Credentials, Browser Cookies, Wi-Fi Passwords

Cybersecurity

DPAPI protects almost every secret on a Windows host. A practical walkthrough of decrypting Credential Manager blobs, Chrome and Edge cookies, Wi-Fi PSKs, and DPAPI master keys with Mimikatz and SharpDPAPI.

By Arjun Raghavan, Security & Systems Lead, BIPI · April 14, 2025 · 11 min read

#windows#dpapi#mimikatz#credentials#browser

What DPAPI actually protects

DPAPI (Data Protection API) is the per-user and per-machine secret store. Chrome cookies, Edge passwords, RDP saved creds, Wi-Fi PSKs, certificate private keys, and Credential Manager entries all sit under DPAPI master keys derived from the user's password hash or the machine DPAPI key.

Where the blobs live

  • %APPDATA%\Microsoft\Protect\<SID>\ for user master keys
  • %APPDATA%\Microsoft\Credentials\ for Credential Manager entries
  • %LOCALAPPDATA%\Microsoft\Vault\ for Web Credentials and IE creds
  • %LOCALAPPDATA%\Google\Chrome\User Data\Default\Network\Cookies
  • C:\ProgramData\Microsoft\Wlansvc\Profiles\Interfaces\ for Wi-Fi XML
  • C:\Windows\System32\Microsoft\Protect\S-1-5-18\ for machine keys

Two paths to decryption

  1. User context: call CryptUnprotectData as the user (no creds needed)
  2. Offline: extract master keys and decrypt with the user password or NT hash

Mimikatz workflow

SharpDPAPI for OPSEC

SharpDPAPI (and SharpChrome) does the same operations in pure C# with no LSASS access. Great for EDR-heavy environments where Mimikatz hits signatures the moment it loads.

Domain-wide DPAPI: the backup key

Domain controllers hold the DPAPI backup key. With domain admin, dump it once with mimikatz lsadump::backupkeys and you can decrypt any domain user's DPAPI secrets forever, even after password changes. This is why DC compromise is total compromise.

Wi-Fi PSK looting (no DPAPI needed)

Detection

  • Sysmon Event 10 (process access) on LSASS from non-system processes
  • File access to %APPDATA%\Microsoft\Protect by unusual processes
  • Defender for Endpoint DPAPI detection (DPAPI_CRED_DECRYPTION)
  • Event 4662 for backup key access on the DC

Defenses that matter

  • Credential Guard isolates LSASS secrets in VBS
  • LSA Protection (RunAsPPL) blocks Mimikatz from opening LSASS
  • Conditional access with token binding makes stolen cookies useless
  • Restrict DPAPI backup key access on DCs, monitor 4662 on the key object
  • ASR rule "Block credential stealing from LSASS"
very high
MFA bypass success via stolen Chrome cookies
5 to 20
Average DPAPI master keys per user profile
<60s
Time to dump all user creds with SharpDPAPI triage
DPAPI is the universal Windows secret store. Compromise the user, compromise everything that user has ever logged into.

Read more field notes, explore our services, or get in touch at info@bipi.in. Privacy Policy · Terms.