Detection rules › Sigma
DPAPI Backup Keys And Certificate Export Activity IOC
Detects file names with specific patterns seen generated and used by tools such as Mimikatz and DSInternals related to exported or stolen DPAPI backup keys and certificates.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Credential Access | T1552.004 Unsecured Credentials: Private Keys, T1555 Credentials from Password Stores |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Sysmon | 11 | FileCreate |
Stages and Predicates
Stage 1: selection
or:
TargetFilename|endswith: .cer
TargetFilename|endswith: .key
TargetFilename|endswith: .pfx
TargetFilename|endswith: .pvk
or:
TargetFilename|contains: ntds_capi_
TargetFilename|contains: ntds_legacy_
TargetFilename|contains: ntds_unknown_
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
TargetFilename | ends_with |
|
TargetFilename | match |
|