Creation or Modification of Domain Backup DPAPI Private Keys
This rule detects the creation or modification of Domain Backup private keys on Windows systems, which adversaries may extract from a Domain Controller (DC) to decrypt domain user master key files and gain credential access.
This detection identifies the creation or modification of Domain Backup private keys, specifically files named ntds_capi_*.pfx or ntds_capi_*.pvk on Windows systems. Attackers target these keys to extract the Data Protection API (DPAPI) domain backup key from a Domain Controller (DC). Successful extraction allows adversaries to decrypt any domain user master key file, enabling them to access sensitive data protected by those keys. The rule is designed to detect activity associated with tools like Mimikatz, which can remotely dump these keys. This activity is a critical indicator of potential credential compromise within the domain. The rule covers endpoint, Windows, SentinelOne, Microsoft Defender XDR, and Crowdstrike data sources.
Attack Chain
- Adversary gains initial access to a domain-joined system, potentially through compromised credentials or exploiting a vulnerability.
- The attacker attempts to elevate privileges on the compromised system to gain necessary permissions for accessing the domain controller.
- The attacker uses a tool like Mimikatz to remotely connect to a Domain Controller (DC).
- Mimikatz is used to dump the DPAPI domain backup keys, resulting in files named
ntds_capi_*.pfxorntds_capi_*.pvkbeing created or modified on the DC or a network share. - The attacker copies the extracted DPAPI backup key files (
ntds_capi_*.pfxorntds_capi_*.pvk) to a system under their control. - The attacker uses the extracted DPAPI backup key to decrypt domain user master keys.
- The decrypted master keys are used to decrypt other secrets, such as stored credentials or private keys.
- The attacker leverages the stolen credentials or decrypted secrets to move laterally within the network or achieve their final objective, such as data exfiltration.
Impact
Successful extraction of DPAPI domain backup keys allows attackers to decrypt any domain user's master key, which in turn can decrypt sensitive data protected by those keys. This could lead to widespread credential compromise, enabling lateral movement, data theft, and potentially complete domain compromise. The rule helps identify potential breaches early in the attack chain before significant damage occurs. This is especially critical in environments where sensitive data is protected using DPAPI.
Recommendation
- Enable file integrity monitoring for critical system directories on Domain Controllers to detect the creation or modification of files matching
ntds_capi_*.pfxandntds_capi_*.pvkas indicated by the file names in the overview. - Deploy the provided Sigma rule to your SIEM to detect file creation events associated with DPAPI domain backup keys.
- Monitor process execution on Domain Controllers for known credential dumping tools like Mimikatz, as this is a common method for extracting DPAPI keys (T1003.003).
- Review and restrict access controls to Domain Controllers to minimize the risk of unauthorized access and credential dumping.
- Investigate any alerts generated by this rule promptly to determine the scope of the potential compromise and take appropriate remediation steps.
Detection coverage 2
Creation or Modification of DPAPI Domain Backup Key File
highDetects the creation or modification of DPAPI domain backup key files (ntds_capi_*.pfx or ntds_capi_*.pvk) which can be used to decrypt user credentials.
Creation of DPAPI Domain Backup Key via Commandline
mediumDetects the creation of DPAPI Domain backup keys via commandline
Detection queries are available on the platform. Get full rules →