DPAPI Backup Keys And Certificate Export Activity IOC
Detects file names with specific patterns seen generated and used by tools such as Mimikatz and DSInternals related to exported or stolen DPAPI backup keys and certificates.
Sigma rule (View on GitHub)
1title: DPAPI Backup Keys And Certificate Export Activity IOC
2id: 7892ec59-c5bb-496d-8968-e5d210ca3ac4
3status: experimental
4description: |
5 Detects file names with specific patterns seen generated and used by tools such as Mimikatz and DSInternals related to exported or stolen DPAPI backup keys and certificates.
6references:
7 - https://www.dsinternals.com/en/dpapi-backup-key-theft-auditing/
8 - https://github.com/MichaelGrafnetter/DSInternals/blob/39ee8a69bbdc1cfd12c9afdd7513b4788c4895d4/Src/DSInternals.Common/Data/DPAPI/DPAPIBackupKey.cs#L28-L32
9author: Nounou Mbeiri, Nasreddine Bencherchali (Nextron Systems)
10date: 2024-06-26
11tags:
12 - attack.t1555
13 - attack.t1552.004
14logsource:
15 product: windows
16 category: file_event
17detection:
18 selection:
19 TargetFilename|contains:
20 - 'ntds_capi_'
21 - 'ntds_legacy_'
22 - 'ntds_unknown_'
23 TargetFilename|endswith:
24 - '.cer'
25 - '.key'
26 - '.pfx'
27 - '.pvk'
28 condition: selection
29falsepositives:
30 - Unlikely
31level: high
References
-
Introduction The Data Protection API (DPAPI) in Windows is used to encrypt passwords saved by browsers, certificate private keys, and other sensitive data. Domain controllers (DCs) hold backup master keys that can be used to decrypt all such secrets encrypted with DPAPI on domain-joined computers. These backup keys are stored as self-signed certificates in Active Directory (AD) objects of type secret called BCKUPKEY_*: Attackers with sufficient permissions can fetch these backup keys from AD through the Local Security Authority (Domain Policy) Remote Protocol (MS-LSAD / LSARPC) and use them to decrypt any secrets protected by DPAPI on all domain-joined Windows machines. It is therefore important for organizations to be able to detect the theft of DPAPI backup keys from AD by malicious actors. This article describes various ways of discovering this attack technique. Attack Classification MITRE ATT&CK® Tactic Credential Access (TA0006) MITRE ATT&CK® Technique Credentials from Password Stores (T1555) MITRE ATT&CK® Sub-Technique Unsecured Credentials: Private Keys (T1552.004) Tenable® Indicator of Attack DPAPI Domain Backup Key Extraction Microsoft® Defender for Identity Alert Malicious request of Data Protection API master key (alert ID 2020) Detection on Domain Controllers The most reliable way of detecting this attack technique is to monitor domain controllers for suspicious operations. Domain Controller Security Event Logs When a DPAPI backup key is retrieved from a domain controller (DC) through the MS-LSAD protocol, an undocumented event with the following properties is generated on that DC: Log Name Security Event ID 4662 Keywords Audit Success Task Category Other Object Access Events Object Server LSA Object Type SecretObject Accesses Query secret value Object Name Policy\Secrets\G$BCKUPKEY_*
Read More -
Directory Services Internals (DSInternals) PowerShell Module and Framework - MichaelGrafnetter/DSInternals
Read More
Related rules
- Certificate Exported Via PowerShell
- Certificate Exported Via PowerShell - ScriptBlock
- Cisco Crypto Commands
- Dump Credentials from Windows Credential Manager With PowerShell
- Enumerate Credentials from Windows Credential Manager With PowerShell