DPAPI Domain Backup Key Extraction

critical

Description

DPAPI Domain Backup Keys are an essential part of the recovery of DPAPI secrets. Various attack tools focus on extracting these keys from Domain Controllers using LSA RPC calls. Microsoft recognizes that there is no supported method to rotate nor change these keys. Therefore, if the DPAPI backup keys for the domain are compromised, they recommend creating an entire new domain from scratch which is a costly and lengthy operation.

See Also

CQLabs - Extracting Roamed Private Keys from Active Directory

Operational Guidance for Offensive User DPAPI Abuse

DPAPI Secrets

DPAPI backup keys on Active Directory domain controllers

Indicator Details

Name: DPAPI Domain Backup Key Extraction

Codename: I-AdDpapiKey

Severity: Critical

MITRE ATT&CK Information:
ID: T1552.004
Sub-technique of: T1552
Tactic: TA0006