Attackers who have achieved local access on a Windows endpoint can harvest credentials stored by browsers, credential managers, and enterprise applications without ever touching LSASS — by targeting the Windows Data Protection API (DPAPI) directly. MITRE tracks the broader pattern under T1555.004 (Credentials from Password Stores), but the attack scope covers any application that delegates encryption to DPAPI.

The absence of LSASS interaction is what makes DPAPI theft so effective against EDR configurations that focus heavily on credential access via process injection or memory reads.

How DPAPI Works and Why Attackers Target It

DPAPI provides an OS-level symmetric encryption service scoped to a user or machine. Applications call CryptProtectData() to encrypt data; Windows derives the encryption key from the user’s login credentials and stores a masterkey file at %APPDATA%\Microsoft\Protect\{UserSID}\. Chrome, Edge, Firefox, Windows Credential Manager, and RDP credential caches all rely on this mechanism.

The attack works because masterkeys can be decrypted offline with:

  1. The raw masterkey file (readable from Protect\ if you have the user’s session or local admin)
  2. The user’s NT hash or cleartext password, or the domain DPAPI backup key

The domain backup key is the most dangerous vector — it decrypts any DPAPI masterkey for any user in the domain, never rotates by default, and is stored in Active Directory where any domain admin can extract it via mimikatz lsadump::backupkeys. Once an attacker has it, every DPAPI-protected credential across the entire domain is compromised.

Primary Attack Tools

  • Mimikatz: dpapi::masterkey /in:<path> /password:<pass> and dpapi::chrome / dpapi::cred
  • SharpDPAPI (SpecterOps): Automates local and remote DPAPI plunder; can triage all credential blobs in a single pass
  • DonPAPI: Python-based, performs extraction over authenticated SMB without dropping a binary
  • pypykatz: Python Mimikatz port with a full dpapi module

The typical attack sequence:

  1. Enumerate masterkey GUIDs from %APPDATA%\Microsoft\Protect\{SID}\
  2. Decrypt masterkeys via password hash, cleartext, or domain backup key
  3. Enumerate credential blobs: browser Login Data SQLite databases, %APPDATA%\Microsoft\Credentials\, certificate private keys
  4. Decrypt each blob using the recovered masterkeys

Detection Strategy

File Access to DPAPI-Protected Paths

The most reliable signal is file access to DPAPI paths by processes with no legitimate reason to touch them. Enable SACL auditing on:

  • %APPDATA%\Microsoft\Protect\
  • %LOCALAPPDATA%\Google\Chrome\User Data\Default\Login Data
  • %LOCALAPPDATA%\Microsoft\Edge\User Data\Default\Login Data
  • %APPDATA%\Microsoft\Credentials\

With Sysmon, Event ID 11 (FileCreate) and Sysmon’s process access events complement Windows security event 4663.

Sigma Rule — DPAPI Masterkey or Browser Credential Access by Unexpected Process:

title: Suspicious Access to DPAPI Masterkey or Browser Credential Paths
id: 7e3c9a12-4f5b-41e8-b39d-c8e12f7a3591
status: experimental
description: >
  Detects file access to DPAPI masterkey directories or browser credential stores
  by processes other than the owning browser or Windows internals. Indicative of
  SharpDPAPI, Mimikatz dpapi module, or DonPAPI usage.
references:
  - https://attack.mitre.org/techniques/T1555/004/
  - https://posts.specterops.io/operational-guidance-for-offensive-user-dpapi-abuse-1fb7fac8b107
author: SOC Analyst Hub
date: 2026/06/07
tags:
  - attack.credential_access
  - attack.t1555.004
logsource:
  category: file_access
  product: windows
detection:
  selection_paths:
    TargetFilename|contains:
      - '\Microsoft\Protect\'
      - '\Google\Chrome\User Data\Default\Login Data'
      - '\Microsoft\Edge\User Data\Default\Login Data'
      - '\Microsoft\Credentials\'
  filter_legitimate:
    Image|endswith:
      - '\chrome.exe'
      - '\msedge.exe'
      - '\firefox.exe'
      - '\svchost.exe'
      - '\lsass.exe'
  condition: selection_paths and not filter_legitimate
falsepositives:
  - Enterprise backup agents with file-level access
  - Password managers accessing their own stores
level: high

Process Creation for Known DPAPI Tools

title: Known DPAPI Credential Theft Tool Execution
id: 2a8d7f43-9c1e-4b72-a56f-7c3e8d9f1204
status: stable
description: Detects command-line invocation of SharpDPAPI, DonPAPI, and Mimikatz DPAPI commands
logsource:
  category: process_creation
  product: windows
detection:
  selection_cmdline:
    CommandLine|contains:
      - 'dpapi::masterkey'
      - 'dpapi::cred'
      - 'dpapi::chrome'
      - 'SharpDPAPI'
      - 'DonPAPI'
      - 'lsadump::backupkeys'
  condition: selection_cmdline
falsepositives:
  - Authorised red team activity
level: critical

KQL for Microsoft Sentinel — Credential Path Access

// DPAPI masterkey or browser credential file access by unexpected processes
SecurityEvent
| where EventID == 4663
| where ObjectName has_any (
    @"\Microsoft\Protect\",
    @"\Google\Chrome\User Data\Default\Login Data",
    @"\Microsoft\Edge\User Data\Default\Login Data",
    @"\Microsoft\Credentials\"
)
| where ProcessName !endswith_cs "chrome.exe"
    and ProcessName !endswith_cs "msedge.exe"
    and ProcessName !endswith_cs "firefox.exe"
    and ProcessName !endswith_cs "svchost.exe"
    and ProcessName !endswith_cs "lsass.exe"
| project TimeGenerated, Computer, Account, ObjectName, ProcessName, AccessMask
| order by TimeGenerated desc

Detecting Domain Backup Key Extraction

Domain backup key theft is the highest-severity DPAPI attack — and it’s detectable via AD object access auditing:

// Domain DPAPI backup key extraction (mimikatz lsadump::backupkeys)
SecurityEvent
| where EventID == 4662
| where ObjectType has "secret"
| where Properties has "BCKUPKEY"
| project TimeGenerated, Computer, SubjectAccount, ObjectName, Properties

Event ID 4662 fires when the BCKUPKEY_* LSA secret is accessed in AD. This is a high-fidelity signal — there are essentially no legitimate automated use cases for reading this object outside of documented disaster recovery procedures.

Defensive Recommendations

Enable Credential Guard: Windows Credential Guard moves LSA secrets and NTLM hashes into an isolated Hyper-V container, eliminating hash-based masterkey decryption. Not a complete mitigation (the user’s password can still decrypt masterkeys), but it closes the most common hash-based path.

Rotate the domain DPAPI backup key: Microsoft documents the rotation procedure but does not enforce it. Most environments have never rotated theirs. Rotate annually, document the backup location, and treat BCKUPKEY access events as a tier-1 alert.

Browser credential policy: On high-risk endpoints (admins, developers, finance), consider enforcing browser policy that disables local credential storage in Chrome/Edge, redirecting to an enterprise password manager with independent MFA.

Baseline DPAPI path access: Allowlist the specific processes and users that legitimately access each DPAPI path. Deviation from baseline should trigger investigation — DPAPI credential theft leaves clear file-access artefacts that most teams aren’t monitoring.