You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Thanks for the contribution @CTI-Driven. I've transformed this into 3 different rules covering DSInternals Cmdlets, SharpDPAPI CLI flags and file creation for the IOC generated by Mimikatz and DSInternals.
title: Detecting export stolen DPAPI backup keys
id: 7892ec59-c5bb-496d-8968-e5d210ca3ac4
related:
- id: 7892ec59-c5bb-496d-8968-e5d210ca3ac4
status: experimental
description: 'Detecting exported DPAPI backup keysDPAPI Backup Key Theft: Both Mimikatz and DSInternals export stolen DPAPI backup keys into files with the following name format:
ntds_capi_.pfx
ntds_capi_.pvk'
references:
- https://www.dsinternals.com/en/dpapi-backup-key-theft-auditing/
author: Nounou Mbeiri
date: 2024/04/15
tags:
- attack.t1555
- attack.t1552.004
logsource:
product: windows
category: file_event
detection:
selection_1:
TargetFilename|contains: 'ntds_capi_'
TargetFilename|endswith: '.pfx'
selection_2:
TargetFilename|contains: 'ntds_capi_'
TargetFilename|endswith: '.pvk'
condition: 1 of selection_*
falsepositives:
- Unlikely
level: high
title: Detecting DPAPI Backup Key Theft
id: 7892ec59-c5bb-496d-8968-e5d210ca3ac4
related:
- id: 4ac1f50b-3bd0-4968-902d-868b4647937e
- id: 46612ae6-86be-4802-bc07-39b59feb1309
status: experimental
description: 'Detecting DPAPI Backup Key Theft via hacktools : Mimikatz SharpDPAPI and PowerShell cmdlet from the DSInternals module'
references:
- https://www.dsinternals.com/en/dpapi-backup-key-theft-auditing/
author: Nounou Mbeiri
date: 2024/04/15
tags:
- attack.t1555
- attack.t1552.004
logsource:
product: windows
category: process_creation
detection:
selection_Mimikatz:
CommandLine|contains:
- lsadump::backupkeys
selection_SharpDPAPI:
CommandLine|contains:
- backupkey
selection_DSInternals:
CommandLine|contains:
- Get-LsaBackupKey
condition: 1 of selection_*
falsepositives:
- Unlikely
level: high
The text was updated successfully, but these errors were encountered: