EXPLORE
← Back to Explore
elastichighTTP

Protected Storage Service Access via SMB

Identifies remote access to the Windows Protected Storage Service through the IPC$ share. Attackers may abuse this named pipe to interact with the Protected Storage Service and extract sensitive credentials, certificates, or DPAPI backup keys.

MITRE ATT&CK

credential-accesslateral-movement

Detection Query

host.os.type:windows and event.category:file and event.code:5145 and
  winlog.event_data.ShareName:"\\\\*\\IPC$" and
  winlog.event_data.RelativeTargetName:"protected_storage" and
  not source.ip:("::" or "::1" or "0.0.0.0" or "127.0.0.1")

Author

Elastic

Created

2026/06/26

Data Sources

Active DirectoryWindows Security Event Logslogs-system.security*logs-windows.forwarded*winlogbeat-*

Tags

Domain: EndpointOS: WindowsUse Case: Threat DetectionTactic: Credential AccessTactic: Lateral MovementResources: Investigation GuideUse Case: Active Directory MonitoringData Source: Active DirectoryData Source: Windows Security Event Logs
Raw Content
[metadata]
creation_date = "2026/06/26"
integration = ["system", "windows"]
maturity = "production"
updated_date = "2026/06/26"

[rule]
author = ["Elastic"]
description = """
Identifies remote access to the Windows Protected Storage Service through the IPC$ share. Attackers may abuse this
named pipe to interact with the Protected Storage Service and extract sensitive credentials, certificates, or DPAPI
backup keys.
"""
from = "now-9m"
index = ["logs-system.security*", "logs-windows.forwarded*", "winlogbeat-*"]
language = "kuery"
license = "Elastic License v2"
name = "Protected Storage Service Access via SMB"
note = """## Triage and analysis

### Investigating Protected Storage Service Access via SMB

The Protected Storage Service manages sensitive user data such as passwords, certificates, and private keys. Remote
access to the `protected_storage` named pipe over the IPC$ share is unusual and may indicate an attempt to extract
credentials or abuse DPAPI to retrieve domain backup keys from domain controllers.

#### Possible investigation steps

- Identify the source system and user account that initiated the access by reviewing `source.ip`, `user.name`, and
  `winlog.event_data.SubjectUserName`.
- Determine whether the target host is a domain controller or other high-value system that stores DPAPI backup keys.
- Review authentication events (4624, 4625) around the alert time to identify how the source authenticated to the
  target.
- Investigate other alerts associated with the source host or user during the past 48 hours.
- Check for follow-on credential access activity such as registry hive access, LSASS access, or lateral movement.

### False positive analysis

- This activity is rarely expected in most environments. If legitimate administrative tooling accesses this pipe,
  confirm the source, account, and target system before adding an exception.

### Response and remediation

- Initiate the incident response process based on the outcome of the triage.
- Isolate the source host if unauthorized access is confirmed.
- Investigate credential exposure and reset passwords for potentially compromised accounts.
- Review domain controller DPAPI backup key exposure if the target is a domain controller.
"""
references = [
    "https://threathunterplaybook.com/hunts/windows/190620-DomainDPAPIBackupKeyExtraction/notebook.html",
    "https://www.elastic.co/security-labs/detect-credential-access",
]
setup = """## Setup

Audit Detailed File Share must be enabled to generate the events used by this rule.
Setup instructions: https://ela.st/audit-detailed-file-share
"""
risk_score = 73
rule_id = "9bed06f5-0c32-488a-9353-d565fc9d1573"
severity = "high"
tags = [
    "Domain: Endpoint",
    "OS: Windows",
    "Use Case: Threat Detection",
    "Tactic: Credential Access",
    "Tactic: Lateral Movement",
    "Resources: Investigation Guide",
    "Use Case: Active Directory Monitoring",
    "Data Source: Active Directory",
    "Data Source: Windows Security Event Logs",
]
timestamp_override = "event.ingested"
type = "query"

query = '''
host.os.type:windows and event.category:file and event.code:5145 and
  winlog.event_data.ShareName:"\\\\*\\IPC$" and
  winlog.event_data.RelativeTargetName:"protected_storage" and
  not source.ip:("::" or "::1" or "0.0.0.0" or "127.0.0.1")
'''


[[rule.threat]]
framework = "MITRE ATT&CK"

[[rule.threat.technique]]
id = "T1555"
name = "Credentials from Password Stores"
reference = "https://attack.mitre.org/techniques/T1555/"

[[rule.threat.technique]]
id = "T1552"
name = "Unsecured Credentials"
reference = "https://attack.mitre.org/techniques/T1552/"

[[rule.threat.technique.subtechnique]]
id = "T1552.004"
name = "Private Keys"
reference = "https://attack.mitre.org/techniques/T1552/004/"
[rule.threat.tactic]
id = "TA0006"
name = "Credential Access"
reference = "https://attack.mitre.org/tactics/TA0006/"

[[rule.threat]]
framework = "MITRE ATT&CK"

[[rule.threat.technique]]
id = "T1021"
name = "Remote Services"
reference = "https://attack.mitre.org/techniques/T1021/"

[[rule.threat.technique.subtechnique]]
id = "T1021.002"
name = "SMB/Windows Admin Shares"
reference = "https://attack.mitre.org/techniques/T1021/002/"

[rule.threat.tactic]
id = "TA0008"
name = "Lateral Movement"
reference = "https://attack.mitre.org/tactics/TA0008/"