-
-
Notifications
You must be signed in to change notification settings - Fork 194
/
credential_access_suspicious_access_to_windows_dpapi_master_keys.yml
45 lines (43 loc) · 1.65 KB
/
credential_access_suspicious_access_to_windows_dpapi_master_keys.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
name: Suspicious access to Windows DPAPI Master Keys
id: b1d5732a-5ad4-4cdd-8791-c22e34c591e5
version: 1.0.1
description: |
Detects suspicious processes accessing the Windows Data Protection API Master keys
which is a sign of potential credential stealing.
DPAPI master keys are responsible for symmetric encryption of asymmetric private keys,
using a user or system secret as a significant contribution of entropy.
DPAPI allows developers to encrypt keys using a symmetric key derived from the
user's logon secrets, or in the case of system encryption, using the system's
domain authentication secrets.
labels:
tactic.id: TA0006
tactic.name: Credential Access
tactic.ref: https://attack.mitre.org/tactics/TA0006/
technique.id: T1555
technique.name: Credentials from Password Stores
technique.ref: https://attack.mitre.org/techniques/T1555/
subtechnique.id: T1555.004
subtechnique.name: Windows Credential Manager
subtechnique.ref: https://attack.mitre.org/techniques/T1555/004/
references:
- https://www.sygnia.co/blog/the-downfall-of-dpapis-top-secret-weapon/
- https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation/dpapi-extracting-passwords
condition: >
open_file
and
file.path imatches
(
'?:\\Windows\\System32\\Microsoft\\Protect\\S-1-5-18\\Users\\*',
'?:\\Users\\*\\AppData\\*\\Microsoft\\Protect\\S-1-5-21*\\*',
'?:\\Users\\*\\AppData\\*\\Microsoft\\Protect\\S-1-12-1-*\\*'
)
and
not
ps.exe imatches
(
'?:\\Program Files\\*',
'?:\\Program Files(x86)\\*',
'?:\\Windows\\System32\\*',
'?:\\Windows\\SysWOW64\\*'
)
min-engine-version: 2.4.0