MichaelGrafnetter
commented
3 years ago Hi @KyriiiX , AFAIK, Windows 10 handles MS Accounts and AAD accounts differently than AD/local accounts.
Not sure about MS accounts, but with AAD ones, the DPAPI Master Key Encryption Key is no longer password-derived. It is instead sent to the machine as part of the Primary Refresh Token. Moreover, the key is computer-specific and changes in time, at least based on my observations. Maybe try dumping it from RAM using sekurlsa::logonpasswords or sekurlsa::dpapi.
There even used to be this bug in AAD that it was exposing DPAPI Master Key Encryption Keys of everyone to everyone. But it is fixed now.
I reinstalled Windows and forgot to backup my certificate so I can't access my own files anymore. I read the tutorial on how to decrypt the certificate however I'm stuck on getting the masterkey : I remember the password but it isn't working and I obviously can't get the password from CREDHIST (not a local account) even if I backed up AppData. I couldn't find any information on how to find the hash of a Microsoft session.
Any solution ?
Thanks in advance, Kyrian