Detectionhightest
DPAPI Backup Keys And Certificate Export Activity IOC
Detects file names with specific patterns seen generated and used by tools such as Mimikatz and DSInternals related to exported or stolen DPAPI backup keys and certificates.
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Nounou Mbeiri, Nasreddine Bencherchali (Nextron Systems)Created Wed Jun 267892ec59-c5bb-496d-8968-e5d210ca3ac4windows
Log Source
WindowsFile Event
ProductWindows← raw: windows
CategoryFile Event← raw: file_event
Events for file system activity including creation, modification, and deletion.
Detection Logic
Detection Logic1 selector
detection:
selection:
TargetFilename|contains:
- 'ntds_capi_'
- 'ntds_legacy_'
- 'ntds_unknown_'
TargetFilename|endswith:
- '.cer'
- '.key'
- '.pfx'
- '.pvk'
condition: selectionFalse Positives
Unlikely
False positives are unlikely for most environments. High confidence detection.
MITRE ATT&CK
Tactics
Techniques
Sub-techniques
Rule Metadata
Rule ID
7892ec59-c5bb-496d-8968-e5d210ca3ac4
Status
test
Level
high
Type
Detection
Created
Wed Jun 26
Path
rules/windows/file/file_event/file_event_win_susp_dpapi_backup_and_cert_export_ioc.yml
Raw Tags
attack.credential-accessattack.t1555attack.t1552.004