SigmaHQ/rules/windows/builtin/win_dpapi_domain_backupkey_extraction.yml

26 lines
807 B
YAML
Raw Normal View History

title: DPAPI Domain Backup Key Extraction
id: 4ac1f50b-3bd0-4968-902d-868b4647937e
description: Detects tools extracting LSA secret DPAPI domain backup key from Domain Controllers
status: experimental
date: 2019/06/20
author: Roberto Rodriguez @Cyb3rWard0g
references:
- https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/06_credential_access/T1003_credential_dumping/domain_dpapi_backupkey_extraction.md
tags:
- attack.credential_access
- attack.t1003 # an old one
2020-06-16 20:46:08 +00:00
- attack.t1003.004
logsource:
product: windows
service: security
detection:
2020-06-16 20:46:08 +00:00
selection:
EventID: 4662
ObjectType: 'SecretObject'
AccessMask: '0x2'
ObjectName: 'BCKUPKEY'
condition: selection
falsepositives:
- Unknown
2020-06-16 20:46:08 +00:00
level: critical