Skip to content
Threat Feed
high advisory

Creation or Modification of Domain Backup DPAPI Private Keys

Detection of creation or modification of Domain Backup private keys, which adversaries may extract from a Domain Controller (DC) to decrypt domain user master key files.

This detection identifies the creation or modification of Domain Backup private keys (ntds_capi_.pfx, ntds_capi_.pvk) on Windows systems. Attackers may attempt to extract the Data Protection API (DPAPI) domain backup key from a Domain Controller (DC). Successful extraction of these keys allows the adversary to decrypt any domain user’s master key file, granting them unauthorized access to sensitive data and potentially leading to complete domain compromise. This activity is crucial for defenders to detect as it signifies a high-impact credential access attempt. The rule focuses on file creation events associated with specific file names commonly used for DPAPI backup keys.

Attack Chain

  1. An attacker gains initial access to a Domain Controller (DC).
  2. The attacker executes a tool or script designed to extract DPAPI domain backup keys.
  3. The tool retrieves the ntds.dit file, the Active Directory database.
  4. The tool extracts DPAPI domain backup keys, creating files named ntds_capi_*.pfx and ntds_capi_*.pvk.
  5. The attacker stages the extracted key files for exfiltration, potentially copying them to a temporary directory or network share.
  6. The attacker compresses or archives the key files to evade detection.
  7. The attacker exfiltrates the compressed archive to a remote location.
  8. The attacker uses the exfiltrated DPAPI domain backup keys to decrypt domain user master keys offline.

Impact

A successful attack can result in complete domain compromise. By extracting and decrypting DPAPI protected secrets, attackers gain unauthorized access to sensitive information, including user credentials, service accounts, and other critical data. This can lead to lateral movement, data theft, and disruption of services. The impact is considered critical due to the potential for widespread damage and long-term consequences.

Recommendation

  • Enable Sysmon file creation logging to capture the creation of ntds_capi_*.pfx and ntds_capi_*.pvk files.
  • Deploy the provided Sigma rule to detect the creation or modification of DPAPI backup key files.
  • Monitor process execution on domain controllers for suspicious command-line activity associated with potential DPAPI extraction tools as described in the overview.
  • Investigate any alerts generated by the Sigma rule, focusing on the process lineage and destination of the created files.

Detection coverage 3

Creation of Domain Backup DPAPI private key

high

Detects the creation of DPAPI private key files on Windows systems.

sigma tactics: credential_access techniques: T1003 sources: file_event, windows

Modification of Domain Backup DPAPI private key

medium

Detects the modification of DPAPI private key files on Windows systems.

sigma tactics: credential_access techniques: T1003 sources: file_event, windows

DPAPI Backup Key Creation by Suspicious Process

high

Detects the creation of DPAPI backup key files by unusual processes like cmd.exe or powershell.exe.

sigma tactics: credential_access techniques: T1003 sources: file_event, windows

Detection queries are kept inside the platform. Get full rules →