Protected Storage Service Access via SMB

Identifies remote access to the Windows Protected Storage Service through the IPC$ share. Attackers may abuse this named pipe to interact with the Protected Storage Service and extract sensitive credentials, certificates, or DPAPI backup keys.

Elastic rule (View on GitHub)

  1[metadata]
  2creation_date = "2026/06/26"
  3integration = ["system", "windows"]
  4maturity = "production"
  5updated_date = "2026/06/26"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies remote access to the Windows Protected Storage Service through the IPC$ share. Attackers may abuse this
 11named pipe to interact with the Protected Storage Service and extract sensitive credentials, certificates, or DPAPI
 12backup keys.
 13"""
 14from = "now-9m"
 15index = ["logs-system.security*", "logs-windows.forwarded*", "winlogbeat-*"]
 16language = "kuery"
 17license = "Elastic License v2"
 18name = "Protected Storage Service Access via SMB"
 19note = """## Triage and analysis
 20
 21### Investigating Protected Storage Service Access via SMB
 22
 23The Protected Storage Service manages sensitive user data such as passwords, certificates, and private keys. Remote
 24access to the `protected_storage` named pipe over the IPC$ share is unusual and may indicate an attempt to extract
 25credentials or abuse DPAPI to retrieve domain backup keys from domain controllers.
 26
 27#### Possible investigation steps
 28
 29- Identify the source system and user account that initiated the access by reviewing `source.ip`, `user.name`, and
 30  `winlog.event_data.SubjectUserName`.
 31- Determine whether the target host is a domain controller or other high-value system that stores DPAPI backup keys.
 32- Review authentication events (4624, 4625) around the alert time to identify how the source authenticated to the
 33  target.
 34- Investigate other alerts associated with the source host or user during the past 48 hours.
 35- Check for follow-on credential access activity such as registry hive access, LSASS access, or lateral movement.
 36
 37### False positive analysis
 38
 39- This activity is rarely expected in most environments. If legitimate administrative tooling accesses this pipe,
 40  confirm the source, account, and target system before adding an exception.
 41
 42### Response and remediation
 43
 44- Initiate the incident response process based on the outcome of the triage.
 45- Isolate the source host if unauthorized access is confirmed.
 46- Investigate credential exposure and reset passwords for potentially compromised accounts.
 47- Review domain controller DPAPI backup key exposure if the target is a domain controller.
 48"""
 49references = [
 50    "https://threathunterplaybook.com/hunts/windows/190620-DomainDPAPIBackupKeyExtraction/notebook.html",
 51    "https://www.elastic.co/security-labs/detect-credential-access",
 52]
 53setup = """## Setup
 54
 55Audit Detailed File Share must be enabled to generate the events used by this rule.
 56Setup instructions: https://ela.st/audit-detailed-file-share
 57"""
 58risk_score = 73
 59rule_id = "9bed06f5-0c32-488a-9353-d565fc9d1573"
 60severity = "high"
 61tags = [
 62    "Domain: Endpoint",
 63    "OS: Windows",
 64    "Use Case: Threat Detection",
 65    "Tactic: Credential Access",
 66    "Tactic: Lateral Movement",
 67    "Resources: Investigation Guide",
 68    "Use Case: Active Directory Monitoring",
 69    "Data Source: Active Directory",
 70    "Data Source: Windows Security Event Logs",
 71]
 72timestamp_override = "event.ingested"
 73type = "query"
 74
 75query = '''
 76host.os.type:windows and event.category:file and event.code:5145 and
 77  winlog.event_data.ShareName:"\\\\*\\IPC$" and
 78  winlog.event_data.RelativeTargetName:"protected_storage" and
 79  not source.ip:("::" or "::1" or "0.0.0.0" or "127.0.0.1")
 80'''
 81
 82
 83[[rule.threat]]
 84framework = "MITRE ATT&CK"
 85
 86[[rule.threat.technique]]
 87id = "T1555"
 88name = "Credentials from Password Stores"
 89reference = "https://attack.mitre.org/techniques/T1555/"
 90
 91[[rule.threat.technique]]
 92id = "T1552"
 93name = "Unsecured Credentials"
 94reference = "https://attack.mitre.org/techniques/T1552/"
 95
 96[[rule.threat.technique.subtechnique]]
 97id = "T1552.004"
 98name = "Private Keys"
 99reference = "https://attack.mitre.org/techniques/T1552/004/"
100[rule.threat.tactic]
101id = "TA0006"
102name = "Credential Access"
103reference = "https://attack.mitre.org/tactics/TA0006/"
104
105[[rule.threat]]
106framework = "MITRE ATT&CK"
107
108[[rule.threat.technique]]
109id = "T1021"
110name = "Remote Services"
111reference = "https://attack.mitre.org/techniques/T1021/"
112
113[[rule.threat.technique.subtechnique]]
114id = "T1021.002"
115name = "SMB/Windows Admin Shares"
116reference = "https://attack.mitre.org/techniques/T1021/002/"
117
118[rule.threat.tactic]
119id = "TA0008"
120name = "Lateral Movement"
121reference = "https://attack.mitre.org/tactics/TA0008/"

Triage and analysis

Investigating Protected Storage Service Access via SMB

The Protected Storage Service manages sensitive user data such as passwords, certificates, and private keys. Remote access to the protected_storage named pipe over the IPC$ share is unusual and may indicate an attempt to extract credentials or abuse DPAPI to retrieve domain backup keys from domain controllers.

Possible investigation steps

  • Identify the source system and user account that initiated the access by reviewing source.ip, user.name, and winlog.event_data.SubjectUserName.
  • Determine whether the target host is a domain controller or other high-value system that stores DPAPI backup keys.
  • Review authentication events (4624, 4625) around the alert time to identify how the source authenticated to the target.
  • Investigate other alerts associated with the source host or user during the past 48 hours.
  • Check for follow-on credential access activity such as registry hive access, LSASS access, or lateral movement.

False positive analysis

  • This activity is rarely expected in most environments. If legitimate administrative tooling accesses this pipe, confirm the source, account, and target system before adding an exception.

Response and remediation

  • Initiate the incident response process based on the outcome of the triage.
  • Isolate the source host if unauthorized access is confirmed.
  • Investigate credential exposure and reset passwords for potentially compromised accounts.
  • Review domain controller DPAPI backup key exposure if the target is a domain controller.

References

Related rules

to-top