Uncommon applications accessing Windows DPAPI Master keys may indicate an adversary attempting to steal credentials by exfiltrating protected data. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential credential theft activities early.
Detection Rule
title: Access To Windows DPAPI Master Keys By Uncommon Applications
id: 46612ae6-86be-4802-bc07-39b59feb1309
status: test
description: |
Detects file access requests to the the Windows Data Protection API Master keys by an uncommon application.
This can be a sign of credential stealing. Example case would be usage of mimikatz "dpapi::masterkey" function
references:
- http://blog.harmj0y.net/redteaming/operational-guidance-for-offensive-user-dpapi-abuse/
- https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation/dpapi-extracting-passwords
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-10-17
modified: 2024-07-29
tags:
- attack.credential-access
- attack.t1555.004
logsource:
category: file_access
product: windows
definition: 'Requirements: Microsoft-Windows-Kernel-File ETW provider'
detection:
selection:
FileName|contains:
- '\Microsoft\Protect\S-1-5-18\' # For System32
- '\Microsoft\Protect\S-1-5-21-' # For Users
filter_system_folders:
Image|startswith:
- 'C:\Program Files\'
- 'C:\Program Files (x86)\'
- 'C:\Windows\system32\'
- 'C:\Windows\SysWOW64\'
condition: selection and not 1 of filter_*
falsepositives:
- Unknown
# Increase level after false positives filters are good enough
level: medium
imFileEvent
| where (FileName contains "\\Microsoft\\Protect\\S-1-5-18\\" or FileName contains "\\Microsoft\\Protect\\S-1-5-21-") and (not((TargetFilePath startswith "C:\\Program Files\\" or TargetFilePath startswith "C:\\Program Files (x86)\\" or TargetFilePath startswith "C:\\Windows\\system32\\" or TargetFilePath startswith "C:\\Windows\\SysWOW64\\")))Scenario: Scheduled Job Using DPAPI for Credential Storage
Description: A legitimate scheduled job may access DPAPI master keys to retrieve credentials stored for automation tasks.
Filter/Exclusion: Exclude access by known system services or scheduled tasks (e.g., schtasks.exe, Task Scheduler), or filter by process names like sqlservr.exe or sqlagent.exe if used for credential management.
Scenario: Application Using DPAPI for Secure Storage
Description: A legitimate application (e.g., Microsoft SQL Server, Exchange, or IIS) may access DPAPI master keys to securely store or retrieve sensitive data.
Filter/Exclusion: Exclude access by known enterprise applications (e.g., sqlservr.exe, msiexec.exe, iisexpress.exe) or filter by application-specific process names.
Scenario: Admin Task Using DPAPI for Credential Access
Description: An administrator may use DPAPI to access credentials stored in the system for maintenance or troubleshooting.
Filter/Exclusion: Exclude access by processes running under the SYSTEM or Administrators user context, or filter by known administrative tools (e.g., mmc.exe, control.exe).
Scenario: Mimikatz Used for DPAPI Credential Extraction (False Positive)
Description: While Mimikatz is a known credential stealer, it may be used in a controlled environment for security testing or incident response.
Filter/Exclusion: Exclude processes running in a sandboxed environment, or filter by user context (e.g., LocalSystem, TestUser) or IP source if known.
Scenario: Third-Party Tool Using DPAPI for Secure Data Access
Description: A third-party application (e.g., BitLocker, Windows Defender, or Azure Key Vault) may