LoFP / if a computer is a member of a domain, dpapi has a backup mechanism to allow unprotection of the data. which will trigger this event.

Techniques

• t1003
• t1003.004

Sample rules

DPAPI Domain Master Key Backup Attempt

• source: sigma
• technicques:
  • t1003
  • t1003.004

Description

Detects anyone attempting a backup for the DPAPI Master Key. This events gets generated at the source and not the Domain Controller.

Detection logic

condition: selection
selection:
  EventID: 4692