DPAPI Backup Keys And Certificate Export Activity IOC

Original Source: [Sigma source]
Title: DPAPI Backup Keys And Certificate Export Activity IOC
Status: test
Description:Detects file names with specific patterns seen generated and used by tools such as Mimikatz and DSInternals related to exported or stolen DPAPI backup keys and certificates.
References:
  -https://www.dsinternals.com/en/dpapi-backup-key-theft-auditing/
   -https://github.com/MichaelGrafnetter/DSInternals/blob/39ee8a69bbdc1cfd12c9afdd7513b4788c4895d4/Src/DSInternals.Common/Data/DPAPI/DPAPIBackupKey.cs#L28-L32
 Author: Nounou Mbeiri, Nasreddine Bencherchali (Nextron Systems)
Date: 2024-06-26
modified:None
Tags:
  • -'attack.credential-access'
  • -'attack.t1555'
  • -'attack.t1552.004'
Logsource:
  • product: windows
  • category: file_event
Detection:
  selection:
    TargetFilename|contains:
      -'ntds_capi_'
      -'ntds_legacy_'
      -'ntds_unknown_'

    TargetFilename|endswith:
      -'.cer'
      -'.key'
      -'.pfx'
      -'.pvk'

  condition:selection
Falsepositives:
  -Unlikely
Level: high

© 2024 DetectionCode Website. All Rights Reserved.