Red Team | From DPAPI to AppBound: Looting Credentials on Modern Web Browsers 🎙️ Melvin Mejia, Senior Red Team Operator, Pentraze Cybersecurity 📍 Presented at SANS Hack & Defend Summit 2025 With technologies like Credential Guard and LSA Protection becoming defaults in new versions of Windows, red teamers need to find new ways to loot credentials on compromised Windows systems, and it just so happens that one of the most practical alternatives to tradional lsass.exe dumping for passwords is looting credentials stored in web browsers I'll be breaking down how DPAPI works and its usage in securing browser secrets, how attackers have historically abused DPAPI for looting browsers, and how modern Chromium-based browsers introduced AppBound Encryption to mitigate such attacks. Then I'll also cover the techniques that have surfaced to bypass AppBound and continue to loot browser credentials despite these protections. The goal is to give a red team perspective on why browsers remain such a high-value target, how Windows internals can be turned against themselves, the evolving cat-and-mouse dynamic between mitigations and bypasses, and what the current attack surface of browser-stored secrets looks like in practice.