Adversaries may be exfiltrating DPAPI backup keys or certificates by generating and exporting files with specific patterns associated with credential theft tools. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential credential compromise and prevent lateral movement or persistence.
Detection Rule
title: DPAPI Backup Keys And Certificate Export Activity IOC
id: 7892ec59-c5bb-496d-8968-e5d210ca3ac4
status: test
description: |
Detects file names with specific patterns seen generated and used by tools such as Mimikatz and DSInternals related to exported or stolen DPAPI backup keys and certificates.
references:
- https://www.dsinternals.com/en/dpapi-backup-key-theft-auditing/
- https://github.com/MichaelGrafnetter/DSInternals/blob/39ee8a69bbdc1cfd12c9afdd7513b4788c4895d4/Src/DSInternals.Common/Data/DPAPI/DPAPIBackupKey.cs#L28-L32
author: Nounou Mbeiri, Nasreddine Bencherchali (Nextron Systems)
date: 2024-06-26
tags:
- attack.credential-access
- attack.t1555
- attack.t1552.004
logsource:
product: windows
category: file_event
detection:
selection:
TargetFilename|contains:
- 'ntds_capi_'
- 'ntds_legacy_'
- 'ntds_unknown_'
TargetFilename|endswith:
- '.cer'
- '.key'
- '.pfx'
- '.pvk'
condition: selection
falsepositives:
- Unlikely
level: high
imFileEvent
| where (TargetFileName contains "ntds_capi_" or TargetFileName contains "ntds_legacy_" or TargetFileName contains "ntds_unknown_") and (TargetFileName endswith ".cer" or TargetFileName endswith ".key" or TargetFileName endswith ".pfx" or TargetFileName endswith ".pvk")Scenario: Scheduled DPAPI Key Backup Job
Description: A legitimate scheduled task is configured to back up DPAPI backup keys as part of a security or compliance policy.
Filter/Exclusion: Exclude files generated by known backup tools or tasks, e.g., dpapi_backup_job.exe or files with timestamps matching scheduled job execution times.
Scenario: Certificate Export for Administrative Tasks
Description: An administrator exports a certificate for use in a trusted third-party service or for certificate-based authentication.
Filter/Exclusion: Exclude files created by tools like certutil or openssl with known certificate export patterns, or filter by user account with administrative privileges.
Scenario: DSInternals Tool Usage for Key Recovery
Description: A security team uses DSInternals to recover DPAPI keys for forensic analysis or password recovery.
Filter/Exclusion: Exclude files generated by DSInternals (e.g., dsinternals.exe) or files with specific command-line arguments used for legitimate key recovery.
Scenario: Mimikatz Usage for DPAPI Key Extraction
Description: A red team or penetration tester uses Mimikatz to extract DPAPI keys during a security assessment.
Filter/Exclusion: Exclude files with Mimikatz-specific patterns (e.g., mimikatz.exe) or filter by user accounts with known penetration testing permissions.
Scenario: Backup Key Export for Multi-Factor Authentication (MFA) Setup
Description: An IT administrator exports a DPAPI backup key to configure MFA on a user account.
Filter/Exclusion: Exclude files associated with MFA setup tools (e.g., Azure MFA) or files created during known MFA configuration windows.