Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

DPAPI backup keys Theft and Export related activities #4821

Open
CTI-Driven opened this issue Apr 16, 2024 · 1 comment
Open

DPAPI backup keys Theft and Export related activities #4821

CTI-Driven opened this issue Apr 16, 2024 · 1 comment
Assignees
@nasbench

Comments

@CTI-Driven
Copy link

title: Detecting export stolen DPAPI backup keys
id: 7892ec59-c5bb-496d-8968-e5d210ca3ac4
related:
- id: 7892ec59-c5bb-496d-8968-e5d210ca3ac4
status: experimental
description: 'Detecting exported DPAPI backup keysDPAPI Backup Key Theft: Both Mimikatz and DSInternals export stolen DPAPI backup keys into files with the following name format:
ntds_capi_.pfx
ntds_capi_.pvk'
references:
- https://www.dsinternals.com/en/dpapi-backup-key-theft-auditing/
author: Nounou Mbeiri
date: 2024/04/15
tags:
- attack.t1555
- attack.t1552.004
logsource:
product: windows
category: file_event
detection:
selection_1:
TargetFilename|contains: 'ntds_capi_'
TargetFilename|endswith: '.pfx'
selection_2:
TargetFilename|contains: 'ntds_capi_'
TargetFilename|endswith: '.pvk'
condition: 1 of selection_*
falsepositives:
- Unlikely
level: high

title: Detecting DPAPI Backup Key Theft
id: 7892ec59-c5bb-496d-8968-e5d210ca3ac4
related:
- id: 4ac1f50b-3bd0-4968-902d-868b4647937e
- id: 46612ae6-86be-4802-bc07-39b59feb1309
status: experimental
description: 'Detecting DPAPI Backup Key Theft via hacktools : Mimikatz SharpDPAPI and PowerShell cmdlet from the DSInternals module'
references:
- https://www.dsinternals.com/en/dpapi-backup-key-theft-auditing/
author: Nounou Mbeiri
date: 2024/04/15
tags:
- attack.t1555
- attack.t1552.004
logsource:
product: windows
category: process_creation
detection:
selection_Mimikatz:
CommandLine|contains:
- lsadump::backupkeys
selection_SharpDPAPI:
CommandLine|contains:
- backupkey
selection_DSInternals:
CommandLine|contains:
- Get-LsaBackupKey
condition: 1 of selection_*
falsepositives:
- Unlikely
level: high
@github-actions GitHub Actions
Copy link
Contributor

Welcome @CTI-Driven 👋

It looks like this is your first issue on the Sigma rules repository!

The following repository accepts issues related to false positives or 'rule ideas'.

If you're reporting an issue related to the pySigma library please consider submitting it here

If you're reporting an issue related to the deprecated sigmac library please consider submitting it here

Thanks for taking the time to open this issue, and welcome to the Sigma community! 😃

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@nasbench nasbench

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@nasbench @CTI-Driven