← Library
sigmaDRL-1.1from SigmaHQ/sigma

DPAPI Backup Keys And Certificate Export Activity IOC

Detects file names with specific patterns seen generated and used by tools such as Mimikatz and DSInternals related to exported or stolen DPAPI backup keys and certificates.

Quality
100
FP risk
Forks
0
Views
0
ATT&CK techniques
T1555T1552.004
Rule sourcerules/windows/file/file_event/file_event_win_susp_dpapi_backup_and_cert_export_ioc.yml
title: DPAPI Backup Keys And Certificate Export Activity IOC
id: 7892ec59-c5bb-496d-8968-e5d210ca3ac4
status: test
description: |
    Detects file names with specific patterns seen generated and used by tools such as Mimikatz and DSInternals related to exported or stolen DPAPI backup keys and certificates.
references:
    - https://www.dsinternals.com/en/dpapi-backup-key-theft-auditing/
    - https://github.com/MichaelGrafnetter/DSInternals/blob/39ee8a69bbdc1cfd12c9afdd7513b4788c4895d4/Src/DSInternals.Common/Data/DPAPI/DPAPIBackupKey.cs#L28-L32
author: Nounou Mbeiri, Nasreddine Bencherchali (Nextron Systems)
date: 2024-06-26
tags:
    - attack.credential-access
    - attack.t1555
    - attack.t1552.004
logsource:
    product: windows
    category: file_event
detection:
    selection:
        TargetFilename|contains:
            - 'ntds_capi_'
            - 'ntds_legacy_'
            - 'ntds_unknown_'
        TargetFilename|endswith:
            - '.cer'
            - '.key'
            - '.pfx'
            - '.pvk'
    condition: selection
falsepositives:
    - Unlikely
level: high