DPAPI Domain Master Key Backup Attempt

Mar 15, 2023 · attack.credential_access attack.t1003.004 ·

Detects anyone attempting a backup for the DPAPI Master Key. This events gets generated at the source and not the Domain Controller.

Sigma rule (View on GitHub)

 1title: DPAPI Domain Master Key Backup Attempt
 2id: 39a94fd1-8c9a-4ff6-bf22-c058762f8014
 3status: test
 4description: Detects anyone attempting a backup for the DPAPI Master Key. This events gets generated at the source and not the Domain Controller.
 5references:
 6    - https://threathunterplaybook.com/hunts/windows/190620-DomainDPAPIBackupKeyExtraction/notebook.html
 7author: Roberto Rodriguez @Cyb3rWard0g
 8date: 2019/08/10
 9modified: 2023/03/15
10tags:
11    - attack.credential_access
12    - attack.t1003.004
13logsource:
14    product: windows
15    service: security
16detection:
17    selection:
18        EventID: 4692
19    condition: selection
20fields:
21    - ComputerName
22    - SubjectDomainName
23    - SubjectUserName
24falsepositives:
25    - If a computer is a member of a domain, DPAPI has a backup mechanism to allow unprotection of the data. Which will trigger this event.
26level: medium

References

Domain DPAPI Backup Key Extraction — Threat Hunter Playbook

Analytics A few initial ideas to explore your data and validate your detection logic: Analytic I Monitor for any SecretObject with the string BCKUPKEY in the ObjectName. Data source Event Provider ...

Read More

DPAPI Domain Master Key Backup Attempt

Sigma rule (View on GitHub)

References

Domain DPAPI Backup Key Extraction — Threat Hunter Playbook

Related rules