Detection rules › Sigma
DPAPI Domain Master Key Backup Attempt
Detects anyone attempting a backup for the DPAPI Master Key. This events gets generated at the source and not the Domain Controller.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Credential Access | T1003.004 OS Credential Dumping: LSA Secrets |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Security-Auditing | 4692 | Backup of data protection master key was attempted. |