Access To Windows DPAPI Master Keys By Uncommon Application

calendar Dec 21, 2023 · attack.credential_access attack.t1555.004  ·
Share on: linkedin copy

Detects file access requests to the the Windows Data Protection API Master keys by an uncommon application. This can be a sign of credential stealing. Example case would be usage of mimikatz "dpapi::masterkey" function

Sigma rule (View on GitHub)

 1title: Access To Windows DPAPI Master Keys By Uncommon Application
 2id: 46612ae6-86be-4802-bc07-39b59feb1309
 3status: experimental
 4description: |
 5    Detects file access requests to the the Windows Data Protection API Master keys by an uncommon application.
 6    This can be a sign of credential stealing. Example case would be usage of mimikatz "dpapi::masterkey" function    
 7references:
 8    - http://blog.harmj0y.net/redteaming/operational-guidance-for-offensive-user-dpapi-abuse/
 9    - https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation/dpapi-extracting-passwords
10author: Nasreddine Bencherchali (Nextron Systems)
11date: 2022/10/17
12modified: 2023/12/18
13tags:
14    - attack.credential_access
15    - attack.t1555.004
16logsource:
17    category: file_access
18    product: windows
19    definition: 'Requirements: Microsoft-Windows-Kernel-File ETW provider'
20detection:
21    selection:
22        FileName|contains:
23            - '\Microsoft\Protect\S-1-5-18\' # For System32
24            - '\Microsoft\Protect\S-1-5-21-' # For Users
25    filter_system_folders:
26        Image|contains:
27            - ':\Program Files\'
28            - ':\Program Files (x86)\'
29            - ':\Windows\system32\'
30            - ':\Windows\SysWOW64\'
31    condition: selection and not 1 of filter_*
32falsepositives:
33    - Unknown
34# Increase level after false positives filters are good enough
35level: medium

References

Related rules

to-top