DPAPI Domain Backup Key Extraction
Detects tools extracting LSA secret DPAPI domain backup key from Domain Controllers
Sigma rule (View on GitHub)
1title: DPAPI Domain Backup Key Extraction
2id: 4ac1f50b-3bd0-4968-902d-868b4647937e
3status: test
4description: Detects tools extracting LSA secret DPAPI domain backup key from Domain Controllers
5references:
6 - https://threathunterplaybook.com/hunts/windows/190620-DomainDPAPIBackupKeyExtraction/notebook.html
7author: Roberto Rodriguez @Cyb3rWard0g
8date: 2019-06-20
9modified: 2022-02-24
10tags:
11 - attack.credential-access
12 - attack.t1003.004
13logsource:
14 product: windows
15 service: security
16detection:
17 selection:
18 EventID: 4662
19 ObjectType: 'SecretObject'
20 AccessMask: '0x2'
21 ObjectName|contains: 'BCKUPKEY'
22 condition: selection
23falsepositives:
24 - Unknown
25level: high
References
-
Analytics A few initial ideas to explore your data and validate your detection logic: Analytic I Monitor for any SecretObject with the string BCKUPKEY in the ObjectName. Data source Event Provider ...
Read More
Related rules
- Cred Dump Tools Dropped Files
- Credential Dumping Tools Service Execution - Security
- Credential Dumping Tools Service Execution - System
- DPAPI Domain Master Key Backup Attempt
- Dumping of Sensitive Hives Via Reg.EXE