DPAPI LocalMachine + BitLocker

API Key Leaks/README.md

@@ -45,7 +45,7 @@
     python ./badsecrets/examples/telerik_knownkey.py --url http://vulnerablesite/Telerik.Web.UI.DialogHandler.aspx
     python ./badsecrets/examples/symfony_knownkey.py --url https://localhost/
     ```
-
+- [mazen160/secrets-patterns-db](https://github.com/mazen160/secrets-patterns-db) - Secrets Patterns DB: The largest open-source Database for detecting secrets, API keys, passwords, tokens, and more.
     
 ## Exploit
 

Methodology and Resources/Active Directory Attack.md

@@ -60,7 +60,7 @@
     - [Pass-the-Ticket Sapphire Tickets](#pass-the-ticket-sapphire-tickets)
   - [Kerberoasting](#kerberoasting)
   - [KRB_AS_REP Roasting](#krb_as_rep-roasting)
-  - [CVE-2022-33679 (RC4 Is Still Considered Harmful)](#cve-2022-33679-rc4-is-still-considered-harmful)
+  - [CVE-2022-33679](#cve-2022-33679)
   - [Timeroasting](#timeroasting)
   - [Pass-the-Hash](#pass-the-hash)
   - [OverPass-the-Hash (pass the key)](#overpass-the-hash-pass-the-key)
@@ -1982,7 +1982,7 @@ C:\Rubeus> john --format=krb5asrep --wordlist=passwords_kerb.txt hashes.asreproa
 
 
 
-## CVE-2022-33679 (RC4 Is Still Considered Harmful)
+## CVE-2022-33679
 
 > CVE-2022-33679 performs an encryption downgrade attack by forcing the KDC to use the RC4-MD4 algorithm and then brute forcing the session key from the AS-REP using a known plaintext attack, Similar to AS-REP Roasting, it works against accounts that have pre-authentication disabled and the attack is unauthenticated meaning we don’t need a client’s password..
 

Methodology and Resources/Office - Attacks.md

@@ -743,4 +743,5 @@ $ phishery -u https://secure.site.local/docs -i good.docx -o bad.docx
 * [Executing macros from docx with remote - RedXORBlueJuly 18, 2018](http://blog.redxorblue.com/2018/07/executing-macros-from-docx-with-remote.html)
 * [One thousand and one ways to copy your shellcode to memory (VBA Macros) - X-C3LL - Feb 18, 2021](https://adepts.of0x.cc/alternatives-copy-shellcode/)
 * [Running macros via ActiveX controls - greyhathacker - September 29, 2016](http://www.greyhathacker.net/?p=948)
-* [Anti-Analysis Techniques Used in Excel 4.0 Macros - 24 March 2021 - @Jacob_Pimental](https://www.goggleheadedhacker.com/blog/post/23)
+* [Anti-Analysis Techniques Used in Excel 4.0 Macros - 24 March 2021 - @Jacob_Pimental](https://www.goggleheadedhacker.com/blog/post/23)
+* [So you think you can block Macros? - Pieter Ceelen - April 25, 2023](https://outflank.nl/blog/2023/04/25/so-you-think-you-can-block-macros/)

Methodology and Resources/Windows - DPAPI.md

@@ -6,6 +6,7 @@
 
 * [Data Protection API](#data-protection-api)
     * [List Credential Files](#list-credential-files)
+    * [DPAPI LocalMachine Context](#dpapi-localmachine-context)
     * [Mimikatz - Credential Manager & DPAPI](#mimikatz---credential-manager--dpapi)
     * [Hekatomb - Steal all credentials on domain](#hekatomb---steal-all-credentials-on-domain)
     * [DonPAPI - Dumping DPAPI credz remotely](#donpapi---dumping-dpapi-credz-remotely)
@@ -37,6 +38,19 @@ Get-ChildItem -Hidden C:\Users\username\AppData\Roaming\Microsoft\Credentials\
 ```
 
 
+### DPAPI LocalMachine Context
+
+The `LocalMachine` context is used to protect data that is intended to be shared across different users or services on a single machine. This means that any user or service running on the machine can access the protected data with the appropriate credentials.
+
+In contrast, the `CurrentUser` context is used to protect data that is intended to be accessed only by the user who encrypted it, and cannot be accessed by other users or services on the same machine.
+
+```ps1
+$a = [System.Convert]::FromBase64String("AQAAANCMnd[...]")
+$b = [System.Security.Cryptography.ProtectedData]::Unprotect($a, $null, [System.Security.Cryptography.DataProtectionScope]::LocalMachine)
+[System.Text.Encoding]::ASCII.GetString($b)
+```
+
+
 ### Mimikatz - Credential Manager & DPAPI
 
 ```powershell

Methodology and Resources/Windows - Defenses.md

@@ -365,6 +365,15 @@ The **Enterprise Context** column shows you what each app can do with your enter
 * **Exempt**. Shows the text, Exempt. Windows Information Protection policies don't apply to these apps (such as, system components).
 
 
+## BitLocker Drive Encryption
+
+BitLocker is a full-disk encryption feature included in Microsoft Windows operating systems starting with Windows Vista. It is designed to protect data by providing encryption for entire volumes. BitLocker uses AES encryption algorithm to encrypt data on the disk. When enabled, BitLocker requires a user to enter a password or insert a USB flash drive to unlock the encrypted volume before the operating system is loaded, ensuring that data on the disk is protected from unauthorized access. BitLocker is commonly used on laptops, portable storage devices, and other mobile devices to protect sensitive data in case of theft or loss.
+
+When BitLocker is in `Suspended` state, boot the system using a Windows Setup USB, and then decrypt the drive using this command: `manage-bde -off c:`
+
+You can check if it is done decrypting using this command: `manage-bde -status`
+
+
 ## References
 
 * [SNEAKING PAST DEVICE GUARD - Cybereason - Philip Tsukerman](https://troopers.de/downloads/troopers19/TROOPERS19_AR_Sneaking_Past_Device_Guard.pdf)