DPAPI Domain Master Key Backup Attempt
Detects anyone attempting a backup for the DPAPI Master Key. This events gets generated at the source and not the Domain Controller.
Sigma rule (View on GitHub)
1title: DPAPI Domain Master Key Backup Attempt
2id: 39a94fd1-8c9a-4ff6-bf22-c058762f8014
3status: test
4description: Detects anyone attempting a backup for the DPAPI Master Key. This events gets generated at the source and not the Domain Controller.
5references:
6 - https://threathunterplaybook.com/hunts/windows/190620-DomainDPAPIBackupKeyExtraction/notebook.html
7author: Roberto Rodriguez @Cyb3rWard0g
8date: 2019-08-10
9modified: 2023-03-15
10tags:
11 - attack.credential-access
12 - attack.t1003.004
13logsource:
14 product: windows
15 service: security
16detection:
17 selection:
18 EventID: 4692
19 condition: selection
20fields:
21 - ComputerName
22 - SubjectDomainName
23 - SubjectUserName
24falsepositives:
25 - If a computer is a member of a domain, DPAPI has a backup mechanism to allow unprotection of the data. Which will trigger this event.
26level: medium
References
-
Analytics A few initial ideas to explore your data and validate your detection logic: Analytic I Monitor for any SecretObject with the string BCKUPKEY in the ObjectName. Data source Event Provider ...
Read More
Related rules
- Cred Dump Tools Dropped Files
- Credential Dumping Tools Service Execution - Security
- Credential Dumping Tools Service Execution - System
- DPAPI Domain Backup Key Extraction
- Dumping of Sensitive Hives Via Reg.EXE