The key you cannot rotate: DPAPI domain backup key theft

DPAPI protects each Windows user’s secrets, but the domain keeps one RSA recovery key, the backup key, that can decrypt any user’s DPAPI master key. It is generated once when the domain is created and is effectively impossible to rotate.

How the attack works

A Domain Admin session reads the domain backup key secret from a domain controller and exports the private RSA key off the DC to attacker tooling. With that single key, the attacker decrypts collected DPAPI master key blobs from many users entirely offline, with no further domain controller interaction and no authentication. From those master keys they recover saved credentials, browser stored passwords and cookies, and vault entries, then replay them to log in as multiple users and move laterally. In ATT&CK terms this is T1003, OS Credential Dumping, paired with T1555, Credentials from Password Stores.

Why it works

The backup key is the universal recovery key for the whole domain’s DPAPI, and any Domain Admin session on a DC can read it. Once copied, it decrypts anything DPAPI ever protected, indefinitely.

How to fix it

The scenario teaches the brutal truth: rotating the backup key does not re-protect data already encrypted, and the attacker holds offline copies. Rotating the key is also a heavyweight, disruptive operation. The effective containment is to treat every DPAPI protected secret as exposed and invalidate the secrets themselves: reset passwords, rotate saved and service credentials, and revoke session cookies, while closing the Tier-0 path that allowed the export. Detection is the rare object access on the backup key secret on a DC. The durable control is crown jewel governance: minimize and monitor who can run code on DCs as a Domain Admin, and alert on any access to that key as a near certain incident.

Practice it

We built this as a GraphLattice Range scenario so responders can rehearse rotating the protected secrets when the stolen key itself cannot be.