This detection rule focuses on identifying the creation or modification of Domain Backup private keys, specifically tied to Microsoft's Data Protection API (DPAPI). Adversaries could exploit the DPAPI backup key available on Domain Controllers to decrypt domain user master key files. The potential for misuse arises from the ability to extract these keys using tools such as Mimikatz, which makes the .pvk private key crucial, as it could compromise the decryption of any user secrets protected by those keys. The rule is designed to monitor file events on Windows systems where the file name matches patterns for these private keys, including 'ntds_capi_*.pfx' and 'ntds_capi_*.pvk'. The rule’s implementation and efficacy hinge on integration with multiple platforms such as Windows OS, SentinelOne, Microsoft Defender for Endpoint, and Crowdstrike, reflecting its broader application in endpoint detection and response solutions. The rule carries a high severity rating, given the associated risk score of 73, highlighting the critical nature of safeguarding domain credentials. Relevant references and triage notes are provided for analysts to facilitate further investigation and context around DPAPI functionality and associated risks in enterprise environments.