Key Distribution Service (KDS) Root Keys have been a foundational part of Active Directory since Windows Server 2012. They’re best known for generating gMSA and dMSA passwords, but they also underpin DPAPI-NG (CNG DPAPI) scenarios that protect sensitive data via SID Protectors. While earlier research from CQURE and Semperis exposed parts of the underlying cryptography, several critical use cases have remained underexplored.

During this session, we’ll demonstrate online and offline attacks against virtually all KDS Root Key scenarios, including decryption of BitLocker volumes using SID Protectors, exporting RSA private keys from group-protected PFX files, extracting DNSSEC signing keys, revealing ASP.NET Core encrypted connection strings, bulk exporting LAPS and DSRM passwords, and generating gMSA/dMSA passwords (the “Golden *MSA” attack). We’ll also present a newly discovered universal technique for attacking DPAPI-NG in Windows that allows decryption of any secrets protected with SID Protectors without building application-specific decryptors—along with the defensive steps you need to consider now.