Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionmediumtest

DPAPI Domain Master Key Backup Attempt

Detects anyone attempting a backup for the DPAPI Master Key. This events gets generated at the source and not the Domain Controller.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Roberto Rodriguez (Cyb3rWard0g)Created Sat Aug 10Updated Wed Mar 1539a94fd1-8c9a-4ff6-bf22-c058762f8014windows
Log Source
Windowssecurity
ProductWindows← raw: windows
Servicesecurity← raw: security
Detection Logic
Detection Logic1 selector
detection:
    selection:
        EventID: 4692
    condition: selection
False Positives

If a computer is a member of a domain, DPAPI has a backup mechanism to allow unprotection of the data. Which will trigger this event.

References
1
Resolving title…
threathunterplaybook.com
MITRE ATT&CK
Rule Metadata
Rule ID
39a94fd1-8c9a-4ff6-bf22-c058762f8014
Status
test
Level
medium
Type
Detection
Created
Sat Aug 10
Modified
Wed Mar 15
Author
Roberto Rodriguez (Cyb3rWard0g)
Path
rules/windows/builtin/security/win_security_dpapi_domain_masterkey_backup_attempt.yml
Raw Tags
attack.credential-accessattack.t1003.004
View on GitHub