/
file_access_win_dpapi_master_key_access.yml
34 lines (34 loc) · 1.38 KB
/
file_access_win_dpapi_master_key_access.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
title: Suspicious Access To Windows DPAPI Master Keys
id: 46612ae6-86be-4802-bc07-39b59feb1309
status: experimental
description: |
Detects suspicious processes based on name and location that access the Windows Data Protection API Master keys.
Which can be a sign of credential stealing. Example case would be usage of mimikatz "dpapi::masterkey" function
references:
- https://web.archive.org/web/20181130065817/http://www.harmj0y.net/blog/redteaming/operational-guidance-for-offensive-user-dpapi-abuse/
- https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation/dpapi-extracting-passwords
author: Nasreddine Bencherchali
date: 2022/10/17
tags:
- attack.credential_access
- attack.t1555.004
logsource:
category: file_access
product: windows
definition: file_access rules are using the Microsoft-Windows-Kernel-File ETW provider
detection:
selection:
FileName|contains:
- '\Microsoft\Protect\S-1-5-18\' # For System32
- '\Microsoft\Protect\S-1-5-21-' # For Users
filter_system_folders:
Image|startswith:
- 'C:\Program Files\'
- 'C:\Program Files (x86)\'
- 'C:\Windows\system32\'
- 'C:\Windows\SysWOW64\'
condition: selection and not 1 of filter_*
falsepositives:
- Unknown
# Increase level after false positives filters are good enough
level: medium