What offline methods exist to obtain the DPAPI MasterKey without direct access to the running system?

One method is to dump the LSASS process memory using `procdump.exe -ma lsass.exe`, then load the dump file into mimikatz with `sekurlsa::minidump` and run `sekurlsa::dpapi`. Another approach involves saving the SYSTEM and SECURITY registry hives, extracting the DPAPI_SYSTEM hash via `lsadump::secrets`, and using that hash to decrypt system Master Key files directly. For a full walkthrough, see Penetration Techniques - Obtaining the MasterKey in DPAPI on Windows Systems.