This note documents detection patterns related to DPAPI Dumping within Windows environments.
Direct Indicators
| Log | Event ID | Meaning | Forensic Value | Notes |
|---|---|---|---|---|
| Security | 4688 | Process creation | Critical | Detects DPAPI extraction tooling and supporting commands. |
| Sysmon | 1 | Process creation | Critical | Best execution source for DPAPI dump utilities and command line. |
| Sysmon | 11 | File create | High | Captures exported blobs, masterkeys, browser credential dumps. |
| Sysmon | 10 | Process access | Critical | Strong signal when LSASS accessed to obtain DPAPI material. |
| Security | 4656 | Handle requested | High | Sensitive object access if auditing enabled. |
| Security | 4663 | Object access | High | Access to DPAPI directories or credential stores. |
| Sysmon | 7 | Image loaded | Medium | Useful when crypto libraries load unusually. |
| PowerShell | 4104 | Script block logging | Critical | Captures DPAPI extraction scripts. |
Indirect Indicators
| Indicator | What To Look For | Forensic Value | Notes |
|---|---|---|---|
| Access to Protect folder | AppData\Roaming\Microsoft\Protect | Critical | Core DPAPI artifact path. |
| Browser credential store access | Chrome / Edge / Credential files | Critical | Common post-DPAPI target. |
| Masterkey + LSASS access chain | File access then LSASS read | Critical | Very strong credential theft pattern. |
| SharpDPAPI / Mimikatz usage | Known tooling lineage | Critical | Common operator workflow. |
| Vault / credential file export | Credentials, Vault folders | High | Sensitive DPAPI material collection. |
| SYSTEM + user context mixing | Machine + user secrets | High | Broader credential scope. |
Common Tools
| Tool | Usage |
|---|---|
| mimikatz | DPAPI credential extraction |
| SharpDPAPI | DPAPI triage and decryption |
| PowerShell | DPAPI script extraction |
| seatbelt | Credential discovery support |
| browser dump tools | Chrome / Edge secret extraction |
| custom scripts | Blob parsing |
Relevant Artifacts
- Sysmon Event IDs 1, 10, 11
- Security Event IDs 4688, 4656, 4663
- PowerShell 4104
- DPAPI folders:
%APPDATA%\Microsoft\Protect\%APPDATA%\Microsoft\Credentials\%LOCALAPPDATA%\Microsoft\Credentials\%LOCALAPPDATA%\Google\Chrome\User Data\
- Prefetch:
MIMIKATZ.EXE,SHARPDPAPI.EXE - Amcache execution history
- ShimCache traces
- MFT / USN for exported secrets
MITRE ATT&CK References
- T1003 OS Credential Dumping
- T1555 Credentials from Password Stores
- T1552 Unsecured Credentials
Decision Tree
-
Which DPAPI target accessed?
- Protect folder
- Credentials
- Browser DB
-
Which tool executed?
- Mimikatz
- SharpDPAPI
- Script
-
Was LSASS also accessed?
- Sysmon 10
- Token privilege
-
Was output written?
- Temp
- Archive
- Network share
-
Expand:
- Browser theft
- Vault extraction
- Lateral credential reuse
-
Scope:
- Single user
- Multiple profiles
- SYSTEM + user secrets
Example Detection Templates
KQL
Sysmon
| where EventID == 1
| where CommandLine has_any ("SharpDPAPI","dpapi","mimikatz")
| project TimeGenerated, Computer, User, CommandLine
Sysmon
| where EventID == 10
| where TargetImage has "\\lsass.exe"
| project TimeGenerated, Computer, SourceImage, GrantedAccess
EQL
process where process.command_line like "*SharpDPAPI*" or process.command_line like "*dpapi*"
sequence by host.name with maxspan=5m
[ process where process.name in ("SharpDPAPI.exe","mimikatz.exe") ]
[ file where file.path like "*\\Microsoft\\Protect\\*" ]
Sigma
title: DPAPI Dumping Detection
id: 1a5f44d0-dpapi-dump
status: experimental
description: Detects DPAPI extraction activity linked to credential theft
references:
- https://attack.mitre.org/
author: Vergil
date: 2026-03-07
logsource:
product: windows
service: sysmon
detection:
selection:
CommandLine|contains:
- 'SharpDPAPI'
- 'dpapi'
- 'mimikatz'
condition: selection
fields:
- CommandLine
- ParentImage
falsepositives:
- Security testing
level: high
tags:
- attack.credential_access
Mitigation & Hardening
| Control Area | Mitigation | Effectiveness | Notes |
|---|---|---|---|
| Protect LSASS | RunAsPPL | Critical | Harder masterkey extraction |
| EDR process access | Monitor LSASS reads | Critical | Strong correlation point |
| Credential vault hardening | Limit secret storage | High | Reduce exposure |
| Sysmon file visibility | Watch Protect/Credentials access | High | Strong artifact coverage |
| Browser secret controls | Enterprise password policies | High | Reduce DPAPI secret value |