This detection rule aims to identify potential unauthorized extraction of the Data Protection API (DPAPI) domain backup key from Windows Domain Controllers. The rule specifically monitors Security Event ID 4662, which logs actions related to certain access rights on secret objects within the Windows security model. The detection focuses on access attempts to objects containing the name 'BCKUPKEY' and checks for the specific access mask indicating access to secrets. Given that the DPAPI domain backup key is crucial for recovering encrypted data, any retrieval attempts may indicate malicious behavior, particularly in credential theft attacks, aligning with MITRE ATT&CK technique T1003.004. The rule has been enhanced with a high severity level, indicating its importance in safeguarding sensitive key material associated with domain credentials.