title: DPAPI Domain Master Key Backup Attempt
author: Roberto Rodriguez @Cyb3rWard0g
date: 2019/08/10
description: Detects anyone attempting a backup for the DPAPI Master Key. This events
    gets generated at the source and not the Domain Controller.
detection:
    SELECTION_1:
        EventID: 4692
    condition: SELECTION_1
falsepositives:
- Unknown
fields:
- ComputerName
- SubjectDomainName
- SubjectUserName
id: 39a94fd1-8c9a-4ff6-bf22-c058762f8014
level: critical
logsource:
    product: windows
    service: security
references:
- https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-190620024610.html
status: experimental
tags:
- attack.credential_access
- attack.t1003
- attack.t1003.004
yml_filename: win_dpapi_domain_masterkey_backup_attempt.yml
yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin