Key Distribution Service (KDS) Root Keys have been an integral part of Active Directory since Windows Server 2012. These cryptographic seeds are predominantly used to generate passwords of managed service accounts (gMSA and dMSA) but are also utilized by DPAPI-NG (also known as CNG DPAPI) to encrypt sensitive information using SID Protectors. Although researchers from CQURE and Semperis have previously published PoC implementations of the cryptographic algorithms used with KDS Root Keys, many scenarios have not yet been covered by research and tooling. In this session, we will demonstrate online and offline attacks against virtually ALL use cases of KDS Root Keys, including: - Decryption of volumes with BitLocker SID Protector enabled. - Exporting RSA private keys from group-protected PFX files. - Extracting DNSSEC signing keys (ZSK and KSK) from Active Directory. - Revealing ASP.NET Core encrypted database connection strings. - Bulk export of LAPS and DSRM passwords from ntds.dit, LDAP, or DCSync. - Generating gMSA and dMSA passwords (Golden *MSA Attack) We will also be presenting a newly discovered universal way of attacking DPAPI-NG in Windows, which allows us to decrypt any secrets encrypted using the SID protector, without requiring to develop application-specific decryptors.