Sign In
- Platform
- Solutions
- Modern NDR
- Resources
- Company
Platform
Modern NDR
Resources
Platform
Modern NDR
Resources
DETECTION OVERVIEW
Risk Factors
An attacker must have domain administrator privileges, knowledge of Active Directory (AD), and knowledge to decrypt Data Protection API (DPAPI) secrets. Attackers that have sufficient privileges can export backup keys from domain controllers (DCs) with attack tools. Attackers that successfully retrieve a backup key can decrypt sensitive data for any domain user.
Kill Chain
Risk Score
84
The DPAPI is built into Windows operating systems because DPAPI enables fast encryption of sensitive data. The DPAPI creates a unique masterkey for each user. In an AD environment, the masterkey can be decrypted with a user domain password to access sensitive data, such as system passwords or certificates. The DPAPI also creates a backup key in case a user domain password changes. The backup key is a private key that is stored on a DC as a Local Security Authority (LSA) secret. The backup key can decrypt the masterkey for any user in an AD domain.
An attacker with domain administrator privileges can leverage attack tools such as Mimikatz and SharpDPAPI to export the domain backup key from a DC. The attacker or tool sends a Microsoft remote procedure call (MS-RPC) protocol request with the interface and operation, lsarpc:LsarRetrievePrivateData, to export the backup key. With the backup key, the attacker can decrypt masterkeys for any domain user and then decrypt their sensitive data.
