Windows

BackupCreds – Mastering Credential Dumping In Windows

BackupCreds presents a groundbreaking method for security professionals to exploit SeTrustedCredmanAccessPrivilege, enabling the dumping of stored credentials in Windows environments.

This article delves into the intricate process of leveraging elevated shells for credential extraction, offering a step-by-step guide on accessing and manipulating the Windows Credential Manager.

Discover how BackupCreds transforms security testing and vulnerability assessments with its innovative approach.

________________________________________________
|      _____________________________           |
| [][] _____________________________ [_][_][_] |
| [][] [_][_][_] [_][_][_][_] [_][_] [_][_][_] |
|            Dump all the Creds!               |
| [][] [][][][][][][][][][][][][][_] [][][][]  |
| [][] [_][][][][][][][][][][][][][] [][][][]  |
| [][] [__][][][][][][][][][][][][_] [][][][]  |
| [][] [___][][][][][][][][][][][__] [__][][]  |
|          [_][______________][_]              |
|          Lefteris (lefty) Panos              |
|______________________________________________|

Abusing SeTrusted Credman Access Privilege To Dump User Creds

The program provides the ability to dump the stored credentials a user might have in the Windows Credential Manager.

It is a useful technique in cases where an elevated shell exists and multiple users are currently logged in.

Steps

Finds the right WinLogon process of the user we want to dump the creds
Opens the WinLogon process with PROCESS_QUERY_LIMITED_INFORMATION access
Duplicates token with TOKEN_DUPLICATE access
Turns token to impersonation token
Enables SeTrustedCredmanAccessPrivilege permission
Opens the target process of the user
Steals and impersonates target user
Calls CredBackupCredentials while impersonating the WinLogon token passing a path to write to and a NULL password to disable the user encryption
While still impersonating opens the file and decrypts it using the CryptUnprotectData API
Deletes the file

Usage

backupcreds [PID of target user] [path to save file]

Must be run from an elevated context.

OPSEC

Currently writes to disk to an operator provided path. Will delete the path once done. Accesses WinLogon.

WdToggle : Direct System Calls To Enable WDigest Credential Caching

March 7, 2021

In "Kali Linux"

Combine Tool – Bypass EDRs & Secure Windows Credentials

September 1, 2023

In "Hacking Tools"

BlackBasta Chat : The Inner Workings Of A Notorious Ransomware Group

February 24, 2025

In "Cyber security"

Varshini

Varshini is a Cyber Security expert in Threat Analysis, Vulnerability Assessment, and Research. Passionate about staying ahead of emerging Threats and Technologies.