Skip to content

Hide Navigation Hide TOC

Access To Windows DPAPI Master Keys By Uncommon Applications (46612ae6-86be-4802-bc07-39b59feb1309)

Detects file access requests to the the Windows Data Protection API Master keys by an uncommon application. This can be a sign of credential stealing. Example case would be usage of mimikatz "dpapi::masterkey" function

Cluster A Galaxy A Cluster B Galaxy B Level
Access To Windows DPAPI Master Keys By Uncommon Applications (46612ae6-86be-4802-bc07-39b59feb1309) Sigma-Rules Windows Credential Manager - T1555.004 (d336b553-5da9-46ca-98a8-0b23f49fb447) Attack Pattern 1
Windows Credential Manager - T1555.004 (d336b553-5da9-46ca-98a8-0b23f49fb447) Attack Pattern Credentials from Password Stores - T1555 (3fc9b85a-2862-4363-a64d-d692e3ffbee0) Attack Pattern 2