
Summary
This rule detects remote access to the Windows Protected Storage Service via the IPC$ named pipe, which attackers may abuse to interact with the Protected Storage Service and exfiltrate credentials such as DPAPI backup keys or private keys. It flags Windows hosts where a file-share (SMB) access event (Event Code 5145) shows a ShareName matching IPC$ and a RelativeTargetName of protected_storage, excluding loopback sources. The detection is anchored to Windows Security/SMB activity and is intended to catch credential access and lateral movement attempts that abuse Protected Storage. The rule aligns with MITRE ATT&CK techniques T1021.002 (SMB/Windows Admin Shares) under Lateral Movement and T1555/T1552.004 (Credentials from Password Stores / Private Keys) under Credential Access. Operational notes emphasize that detailed SMB share auditing must be enabled to generate the required events. Investigations should correlate source IP, user, and target system, review authentication events (4624/4625), and look for follow-on credential-access activity or lateral movement. False positives are possible for legitimate admin tasks; validate source, account, and target before exceptions. Recommended responses include isolating the source if unauthorized, resetting potentially compromised passwords, and auditing for DPAPI key exposure on domain controllers.
Categories
- Endpoint
- Windows
Data Sources
- File
- Network Traffic
ATT&CK Techniques
- T1555
- T1552
- T1552.004
- T1021
- T1021.002
Created: 2026-06-26