DPAPI and DPAPI-NG: Decrypting All Users’ Secrets and PFX Passwords' -- TechMentor

Security

T06 DPAPI and DPAPI-NG: Decrypting All Users’ Secrets and PFX Passwords'

August 12th, 2025

9:30am - 10:45am

Level: Intermediate Advanced

Paula Januszkiewicz

CEO

CQURE

CQURE Team takes DPAPI (Data Protection API) and DPAPI-NG research to the next level! During this session, you will hear about 3 breakthrough discoveries we made during the reverse engineering of cryptographic platform of Windows. You will see the real-live demos of DPAPI exploitation. The first one is about decrypting DPAPI protected data by leveraging the usage of the private key stored as an LSA Secret on a domain controller (we have called it a ‘backup key’ and it is a key corresponding to the backup public key stored in the domain user’s profile). The backup key allows decrypting literally all of the domain user’s secrets (passwords/private keys/information stored by the browser). In other words, someone who has the backup key is able to take control over all of the identities and their secrets in the entire enterprise. It is crucial to understand how this is happening, it’s a great knowledge to have while performing red teaming or penetration testing activities. During the session we will also look into vulnerabilities of the TBAL exploitation, to extract credentials based on a key stored in the registry. Another variant of DPAPI is DPAPI-NG. It is used in the SID-protected PFX files and while in the previous discovery CQURE Team was able to gain access to user’s secrets, here it is a bit different! Come to the session and discover how to decrypt SID-protected PFX files even without access to the user’s password, only by generating the SID and user’s token! Paula Januszkiewicz, CEO and security researcher, will present the team’s unique findings on how to gain access to users’ secrets by possessing the backup key from the domain and how to decrypt the PFX files passwords. All demonstrations are key DPAPI breakthroughs that can cause serious implications if not managed well. Tools included.

You will learn:

Understand the mechanics and vulnerabilities of Windows DPAPI and DPAPI-NG, including how sensitive data like user secrets and PFX files can be decrypted without direct user access.
How attackers can exploit backup keys, registry-stored keys, and SIDs to compromise enterprise-wide security and access protected data.
Gain insights into practical defense strategies and tools to mitigate the risks associated with DPAPI vulnerabilities in enterprise environments.