{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/domain-controller/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend","Microsoft Defender XDR","SentinelOne Cloud Funnel"],"_cs_severities":["high"],"_cs_tags":["credential-access","dpapi","domain-controller"],"_cs_type":"advisory","_cs_vendors":["Elastic","Microsoft","Crowdstrike","SentinelOne"],"content_html":"\u003cp\u003eThis detection identifies the creation or modification of Domain Backup private keys (ntds_capi_\u003cem\u003e.pfx, ntds_capi_\u003c/em\u003e.pvk) on Windows systems. Attackers may attempt to extract the Data Protection API (DPAPI) domain backup key from a Domain Controller (DC). Successful extraction of these keys allows the adversary to decrypt any domain user\u0026rsquo;s master key file, granting them unauthorized access to sensitive data and potentially leading to complete domain compromise. This activity is crucial for defenders to detect as it signifies a high-impact credential access attempt. The rule focuses on file creation events associated with specific file names commonly used for DPAPI backup keys.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Domain Controller (DC).\u003c/li\u003e\n\u003cli\u003eThe attacker executes a tool or script designed to extract DPAPI domain backup keys.\u003c/li\u003e\n\u003cli\u003eThe tool retrieves the \u003ccode\u003entds.dit\u003c/code\u003e file, the Active Directory database.\u003c/li\u003e\n\u003cli\u003eThe tool extracts DPAPI domain backup keys, creating files named \u003ccode\u003entds_capi_*.pfx\u003c/code\u003e and \u003ccode\u003entds_capi_*.pvk\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker stages the extracted key files for exfiltration, potentially copying them to a temporary directory or network share.\u003c/li\u003e\n\u003cli\u003eThe attacker compresses or archives the key files to evade detection.\u003c/li\u003e\n\u003cli\u003eThe attacker exfiltrates the compressed archive to a remote location.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the exfiltrated DPAPI domain backup keys to decrypt domain user master keys offline.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack can result in complete domain compromise. By extracting and decrypting DPAPI protected secrets, attackers gain unauthorized access to sensitive information, including user credentials, service accounts, and other critical data. This can lead to lateral movement, data theft, and disruption of services. The impact is considered critical due to the potential for widespread damage and long-term consequences.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Sysmon file creation logging to capture the creation of \u003ccode\u003entds_capi_*.pfx\u003c/code\u003e and \u003ccode\u003entds_capi_*.pvk\u003c/code\u003e files.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule to detect the creation or modification of DPAPI backup key files.\u003c/li\u003e\n\u003cli\u003eMonitor process execution on domain controllers for suspicious command-line activity associated with potential DPAPI extraction tools as described in the overview.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on the process lineage and destination of the created files.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"/briefs/2024-01-domain-backup-dpapi/","summary":"Detection of creation or modification of Domain Backup private keys, which adversaries may extract from a Domain Controller (DC) to decrypt domain user master key files.","title":"Creation or Modification of Domain Backup DPAPI Private Keys","url":"https://feed.craftedsignal.io/briefs/2024-01-domain-backup-dpapi/"}],"language":"en","title":"CraftedSignal Threat Feed — Domain-Controller","version":"https://jsonfeed.org/version/1.1"}