Domain DPAPI Backup Key Extraction#

Hypothesis#

Adversaries might be extracting the DPAPI domain backup key from my DC to be able to decrypt any domain user master key files.

Technical Context#

Starting with Microsoft® Windows® 2000, the operating system began to provide a data protection application-programming interface (API). This Data Protection API (DPAPI) is a pair of function calls (CryptProtectData / CryptUnprotectData) that provide operating system-level data protection services to user and system processes. DPAPI initially generates a strong key called a MasterKey, which is protected by the user’s password. DPAPI uses a standard cryptographic process called Password-Based Key Derivation to generate a key from the password. This password-derived key is then used with Triple-DES to encrypt the MasterKey, which is finally stored in the user’s profile directory.

When a computer is a member of a domain, DPAPI has a backup mechanism to allow unprotection of the data. When a MasterKey is generated, DPAPI talks to a Domain Controller. Domain Controllers have a domain-wide public/private key pair, associated solely with DPAPI. The local DPAPI client gets the Domain Controller public key from a Domain Controller by using a mutually authenticated and privacy protected RPC call. The client encrypts the MasterKey with the Domain Controller public key. It then stores this backup MasterKey along with the MasterKey protected by the user’s password.

Offensive Tradecraft#

If an adversary obtains domain admin (or equivalent) privileges, the domain backup key can be stolen and used to decrypt any domain user master key. Tools such as Mimikatz with the method/module lsadump::backupkeys can be used to extract the domain backup key. It uses the LsaOpenPolicy/LsaRetrievePrivateData API calls (instead of MS-BKRP) to retrieve the value for the G\(BCKUPKEY_PREFERRED and G\)BCKUPKEY_P LSA secrets.

Additional reading

Pre-Recorded Security Datasets#

Metadata

Value

docs

https://securitydatasets.com/notebooks/atomic/windows/credential_access/SDWIN-190518235535.html

link

https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/atomic/windows/credential_access/host/empire_mimikatz_backupkeys_dcerpc_smb_lsarpc.zip

Download Dataset#

import requests
from zipfile import ZipFile
from io import BytesIO

url = 'https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/atomic/windows/credential_access/host/empire_mimikatz_backupkeys_dcerpc_smb_lsarpc.zip'
zipFileRequest = requests.get(url)
zipFile = ZipFile(BytesIO(zipFileRequest.content))
datasetJSONPath = zipFile.extract(zipFile.namelist()[0])

Read Dataset#

import pandas as pd
from pandas.io import json

df = json.read_json(path_or_buf=datasetJSONPath, lines=True)

Analytics#

A few initial ideas to explore your data and validate your detection logic:

Analytic I#

Monitor for any SecretObject with the string BCKUPKEY in the ObjectName.

Data source

Event Provider

Relationship

Event

Windows active directory

Microsoft-Windows-Security-Auditing

User accessed AD Object

4662

Logic#

SELECT `@timestamp`, Hostname, ObjectServer, ObjectType, ObjectName
FROM dataTable
WHERE LOWER(Channel) = "security"
    AND EventID = 4662
    AND AccessMask = "0x2"
    AND lower(ObjectName) LIKE "%bckupkey%"

Pandas Query#

(
df[['@timestamp','Hostname','ObjectServer','ObjectType','ObjectName']]

[(df['Channel'].str.lower() == 'security')
    & (df['EventID'] == 4662)
    & (df['AccessMask'] == '0x2')
    & (df['Message'].str.lower().str.contains('.*bckupkey.*', regex=True))
]
.head()
)

Analytic II#

We can get the user logon id of the user that accessed the bckupkey object and JOIN it with a successful logon event (4624) user logon id to find the source IP.

Data source

Event Provider

Relationship

Event

Authentication log

Microsoft-Windows-Security-Auditing

User authenticated Host

4624

Windows active directory

Microsoft-Windows-Security-Auditing

User accessed AD Object

4662

Logic#

SELECT o.`@timestamp`, o.Hostname, o.ObjectName, a.IpAddress
FROM dataTable o
INNER JOIN (
    SELECT Hostname,TargetUserName,TargetLogonId,IpAddress
    FROM dataTable
    WHERE LOWER(Channel) = "security"
        AND EventID = 4624
        AND LogonType = 3
        AND NOT TargetUserName LIKE "%$"
    ) a
ON o.SubjectLogonId = a.TargetLogonId
WHERE LOWER(Channel) = "security"
    AND o.EventID = 4662
    AND o.AccessMask = "0x2"
    AND lower(o.ObjectName) LIKE "%bckupkey%"
    AND o.Hostname = a.Hostname

Pandas Query#

backupKeyDf = (
df[['@timestamp','Hostname','ObjectName','IpAddress','SubjectLogonId']]

[(df['Channel'].str.lower() == 'security')
    & (df['EventID'] == 4662)
    & (df['AccessMask'] == '0x2')
    & (df['ObjectName'].str.lower().str.contains('.*bckupkey.*', regex=True))
]
.head()
)

networkLogonDf = (
df[['@timestamp','Hostname','TargetUserName','TargetLogonId','IpAddress']]

[(df['Channel'].str.lower() == 'security')
    & (df['EventID'] == 4624)
    & (df['LogonType'] == 3)
    & (~df['SubjectUserName'].str.endswith('.*$', na=False))
]
.head()
)

(
pd.merge(backupKeyDf, networkLogonDf,
    left_on = ['SubjectLogonId','Hostname'], right_on = ['TargetLogonId','Hostname'], how = 'inner')
)

Analytic III#

Monitoring for access to the protected_storage named pipe via SMB is very interesting to identify potential DPAPI activity over the network. Mimikatz uses the Lsarpc named pipe now.

Data source

Event Provider

Relationship

Event

File

Microsoft-Windows-Security-Auditing

User accessed File

5145

Logic#

SELECT `@timestamp`, Hostname, SubjectUserName, ShareName, RelativeTargetName, AccessMask, IpAddress
FROM dataTable
WHERE LOWER(Channel) = "security"
    AND EventID = 5145
    AND ShareName LIKE "%IPC%"
    AND RelativeTargetName = "protected_storage"

Pandas Query#

(
df[['@timestamp','Hostname','SubjectUserName','ShareName','RelativeTargetName']]

[(df['Channel'].str.lower() == 'security')
    & (df['EventID'] == 5145)
    & (df['RelativeTargetName'].str.lower() == 'protected_storage')
    & (df['ShareName'].str.contains('.*IPC.*', regex=True))
]
)

Analytic IV#

This event generates every time that a backup is attempted for the DPAPI Master Key. When a computer is a member of a domain, DPAPI has a backup mechanism to allow unprotection of the data. When a Master Key is generated, DPAPI communicates with a domain controller. It migt be aleready created and this event might not trigger.

Data source

Event Provider

Relationship

Event

File

Microsoft-Windows-Security-Auditing

User requested access File

4692

Logic#

SELECT `@timestamp`, Hostname, SubjectUserName
FROM dataTable
WHERE LOWER(Channel) = "security"
    AND EventID = 4692

Pandas Query#

(
df[['@timestamp','Hostname','SubjectUserName']]

[(df['Channel'].str.lower() == 'security')
    & (df['EventID'] == 4692)
]
)

Known Bypasses#

False Positives#

Hunter Notes#

  • Backup key can be displayed as base64 blob or exported as a .pvk file on disk (Mimikatz-like)

  • Windows security event 4692 (Backup of data protection master key was attempted) also generates every time a new DPAPI Master Key is generated

  • When a computer is a member of a domain, DPAPI has a backup mechanism to allow unprotection of the data. When a Master Key is generated, DPAPI communicates with a domain controller.