My big take away here is that Microsoft DPAPI (Data Protection API) protected data on domain connected Windows hosts has an escrow key called “DPAPI Backup Key” in the DC (Domain Controller). This allows DA (Domain Administrators) to recover user data if the user forgets their password (which used to be the only way to key DPAPI, which led to user data loss in the past).

This allows dumping of all credentials locally-protected on windows host over remote SMB, including biometric unlock keys for Bitwarden vaults, which are stored in the users profile folder, given DA creds.

DA compromise can lead to all local data protected by DPAPI on domain connected windows hosts being decrypted, including credentials and vaults; without exploiting any vulns. By design.

Bitwarden changed their key scheme to add another layer of encryption to the DPAPI stored creds in the case of biometric unlock, so this attack is now more difficult. I am not convinced this is directly solvable problem given the windows domain security model with DPAPI.