CyberVeille.chFeb 22
📢 LSA Whisperer BOF : un port Cobalt Strike pour interagir avec LSA sans toucher à LSASS
📝 Selon l’annonce du projet « LSA Whisperer BOF » (port de l’outil LSA Whisperer de SpecterOps), ce module apporte aux C2 des capacités d’accès aux paquets...
📖 cyberveille : https://cyberveille.ch/posts/2026-02-22-lsa-whisperer-bof-un-port-cobalt-strike-pour-interagir-avec-lsa-sans-toucher-a-lsass/
🌐 source : https://github.com/dazzyddos/lsawhisper-bof
#Cobalt_Strike #DPAPI #Cyberveille
LSA Whisperer BOF : un port Cobalt Strike pour interagir avec LSA sans toucher à LSASS

Selon l’annonce du projet « LSA Whisperer BOF » (port de l’outil LSA Whisperer de SpecterOps), ce module apporte aux C2 des capacités d’accès aux paquets d’authentification Windows via l’API légitime LsaCallAuthenticationPackage, sans lecture mémoire ni handle sur LSASS, y compris lorsque PPL et Credential Guard sont activés. 🔧 Capacités principales par module: MSV1_0: récupération de clés DPAPI (classiques et « strong »), génération de réponses NTLMv1 avec défi choisi. Kerberos: liste des tickets, dump de tickets (blobs .kirbi en base64 avec clés de session), purge sélective par nom de serveur. CloudAP: extraction de cookies SSO (Entra ID/Azure AD, device, AD FS) et informations cloud (statut TGT/DPAPI). 🛠️ Architecture et intégration:

CyberVeille
TechNaduOct 25

Researchers have revealed a DPAPI-based Teams token theft method allowing attackers to decrypt locally stored authentication cookies and impersonate enterprise users.

⚙️ Technical context:
- Target: msedgewebview2.exe process spawned by Teams.
- Stores AES-256-GCM encrypted cookies in a SQLite database.
- Decryption possible by extracting os_crypt.encrypted_key from Local State and unprotecting via DPAPI.
- Enables attackers to read Teams/SharePoint data and send messages as victims.

💬 SOC/DFIR pros - what’s the best detection vector here? File I/O from WebView2? Suspicious DPAPI calls?

👍 Drop your hunting ideas below, like this post & follow @technadu for continuous threat research coverage.
#MicrosoftTeams #DPAPI #Forensics #DFIR #ThreatIntel #WindowsSecurity #InfoSec #AccessTokens #EDR #SOC #CyberDefense #TechNadu

CyberVeille.chAug 31, 2025
📢 Windows Hello for Business: faiblesse permettant à un admin local de déchiffrer et falsifier la base biométrique
📝 Source: Black Hat USA (présentation ERNW).
📖 cyberveille : https://cyberveille.ch/posts/2025-08-31-windows-hello-for-business-faiblesse-permettant-a-un-admin-local-de-dechiffrer-et-falsifier-la-base-biometrique/
🌐 source : https://www.blackhat.com/us-25/briefings/schedule/index.html#windows-hell-no-for-business-45865
#DPAPI #IOC #Cyberveille
me·ta·phil, derAug 12, 2025

Phew! 🥳 This little #powershell gem saved my ass today when I tried to migrate a #Signal Desktop install to another Windows PC.
(Not a thing officially supported by @signalapp)

The database encryption key itself is device-specifically encrypted using the „Data Protection API“ (haha) #DPAPI, so signal can't decrypt it on the new machine.

Using a legacy parameter, you can put the unencrypted key on the old machine, transfer it to the new one and have it re-encrypted.

https://github.com/MatejKafka/PSSignalDecrypt

GitHub - MatejKafka/PSSignalDecrypt: A PowerShell script to decrypt your Signal Desktop config, allowing you to move the database to a new computer.

A PowerShell script to decrypt your Signal Desktop config, allowing you to move the database to a new computer. - MatejKafka/PSSignalDecrypt

GitHub
Tedi HeriyantoSep 18, 2024

Browser Stored Credentials: https://ipurple.team/2024/09/10/browser-stored-credentials/

#detectionengineering #dpapi

Browser Stored Credentials

Modern web browsers have the capability to store web application based credentials of users in an encrypted format. This functionality has been seen as a security improvement towards the password h…

Purple Team
Jan KudrikJun 25, 2024

Did you know there’s a backup key stored on your domain controllers that can decrypt DPAPI-stored secrets for all domain users? 🚨 And unfortunately, there's no way to rotate this key!

Watch CQURE’s Paula Januszkiewicz as she demonstrates how this key can be retrieved and utilized.

📺 https://youtu.be/UPoAhKbJaCI

#CyberSecurity #Windows #DPAPI #ActiveDirectory #RSAC

DPAPI and DPAPI-NG: Decrypting All Users’ Secrets and PFX Passwords

YouTube
HabrMay 18, 2024

[Перевод] Pivot to the Clouds: Кража cookie в 2024 году

Недавно Google опубликовала блог об обнаружении кражи данных из браузера с помощью журналов событий Windows . В этом посте есть несколько полезных советов для защитников о том, как обнаружить неправомерное использование вызовов DPAPI, пытающихся захватить конфиденциальные данные браузера. Изучить

https://habr.com/ru/articles/815333/

#powershell #cookie #dpapi #edr #redteam

Pivot to the Clouds: Кража cookie в 2024 году

Недавно Google опубликовала блог об обнаружении кражи данных из браузера с помощью журналов событий Windows . В этом посте есть несколько полезных советов для защитников о том, как обнаружить...

Хабр
bertrand 🏃 👨‍💻 🎸Jan 4, 2024

Wow, this is a great write-up of a classic pentest that ended-up in focusing on @bitwarden and how to unlock the vault with no password when biometrics/#WindowsHello are enabled! Very useful details for anyone looking into using #DPAPI the correct way! (which is currently my case 🤩)

https://blog.redteam-pentesting.de/2024/bitwarden-heist/

Bitwarden Heist - How to Break Into Password Vaults Without Using Passwords

Sometimes, making particular security design decisions can have unexpected consequences. For security-critical software, such as password managers, this can easily lead to catastrophic failure: In this blog post, we show how Bitwarden’s Windows Hello …

RedTeam Pentesting - Blog
Dominic WhiteFeb 21, 2023

CrackMapExec now includes DPAPI cred dumping as a core feature thanks to the dploot library by Thomas Seigneuret from the Orange Cyberdefense French team.

Picture from @mpgn’s bird account.

#CrackMapExec #DPAPI