From 54300bef0743ee4b08fb667c065d70bb799eb5d7 Mon Sep 17 00:00:00 2001
From: Samirbous <64742097+Samirbous@users.noreply.github.com>
Date: Fri, 26 Jun 2026 14:42:11 +0100
Subject: [PATCH 1/3] [New] Protected Storage Service Access via SMB

Identifies remote access to the Windows Protected Storage Service through the IPC$ share. Attackers may abuse this named pipe to interact with the Protected Storage Service and extract sensitive credentials, certificates, or DPAPI backup keys.
---
 ...cess_protected_storage_service_access.toml | 112 ++++++++++++++++++
 1 file changed, 112 insertions(+)
 create mode 100644 rules/windows/credential_access_protected_storage_service_access.toml

diff --git a/rules/windows/credential_access_protected_storage_service_access.toml b/rules/windows/credential_access_protected_storage_service_access.toml
new file mode 100644
index 00000000000..a5c0b2da5ee
--- /dev/null
+++ b/rules/windows/credential_access_protected_storage_service_access.toml
@@ -0,0 +1,112 @@
+[metadata]
+creation_date = "2026/06/26"
+integration = ["system", "windows"]
+maturity = "production"
+updated_date = "2026/06/26"
+
+[rule]
+author = ["Elastic"]
+description = """
+Identifies remote access to the Windows Protected Storage Service through the IPC$ share. Attackers may abuse this
+named pipe to interact with the Protected Storage Service and extract sensitive credentials, certificates, or DPAPI
+backup keys.
+"""
+from = "now-9m"
+index = ["logs-system.security*", "logs-windows.forwarded*", "winlogbeat-*"]
+language = "kuery"
+license = "Elastic License v2"
+name = "Protected Storage Service Access via SMB"
+note = """## Triage and analysis
+
+### Investigating Protected Storage Service Access via SMB
+
+The Protected Storage Service manages sensitive user data such as passwords, certificates, and private keys. Remote
+access to the `protected_storage` named pipe over the IPC$ share is unusual and may indicate an attempt to extract
+credentials or abuse DPAPI to retrieve domain backup keys from domain controllers.
+
+#### Possible investigation steps
+
+- Identify the source system and user account that initiated the access by reviewing `source.ip`, `user.name`, and
+  `winlog.event_data.SubjectUserName`.
+- Determine whether the target host is a domain controller or other high-value system that stores DPAPI backup keys.
+- Review authentication events (4624, 4625) around the alert time to identify how the source authenticated to the
+  target.
+- Investigate other alerts associated with the source host or user during the past 48 hours.
+- Check for follow-on credential access activity such as registry hive access, LSASS access, or lateral movement.
+
+### False positive analysis
+
+- This activity is rarely expected in most environments. If legitimate administrative tooling accesses this pipe,
+  confirm the source, account, and target system before adding an exception.
+
+### Response and remediation
+
+- Initiate the incident response process based on the outcome of the triage.
+- Isolate the source host if unauthorized access is confirmed.
+- Investigate credential exposure and reset passwords for potentially compromised accounts.
+- Review domain controller DPAPI backup key exposure if the target is a domain controller.
+"""
+references = [
+    "https://threathunterplaybook.com/hunts/windows/190620-DomainDPAPIBackupKeyExtraction/notebook.html",
+    "https://www.elastic.co/security-labs/detect-credential-access",
+]
+risk_score = 73
+rule_id = "9bed06f5-0c32-488a-9353-d565fc9d1573"
+severity = "high"
+tags = [
+    "Domain: Endpoint",
+    "OS: Windows",
+    "Use Case: Threat Detection",
+    "Tactic: Credential Access",
+    "Tactic: Lateral Movement",
+    "Resources: Investigation Guide",
+    "Use Case: Active Directory Monitoring",
+    "Data Source: Active Directory",
+    "Data Source: Windows Security Event Logs",
+]
+timestamp_override = "event.ingested"
+type = "query"
+
+query = '''
+host.os.type:windows and event.category:file and event.code:5145 and
+  winlog.event_data.ShareName:"\\\\*\\IPC$" and
+  winlog.event_data.RelativeTargetName:"protected_storage" and
+  not source.ip:("::" or "::1" or "0.0.0.0" or "127.0.0.1")
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+
+[[rule.threat.technique]]
+id = "T1003"
+name = "OS Credential Dumping"
+reference = "https://attack.mitre.org/techniques/T1003/"
+
+[[rule.threat.technique.subtechnique]]
+id = "T1003.004"
+name = "LSA Secrets"
+reference = "https://attack.mitre.org/techniques/T1003/004/"
+
+[rule.threat.tactic]
+id = "TA0006"
+name = "Credential Access"
+reference = "https://attack.mitre.org/tactics/TA0006/"
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+
+[[rule.threat.technique]]
+id = "T1021"
+name = "Remote Services"
+reference = "https://attack.mitre.org/techniques/T1021/"
+
+[[rule.threat.technique.subtechnique]]
+id = "T1021.002"
+name = "SMB/Windows Admin Shares"
+reference = "https://attack.mitre.org/techniques/T1021/002/"
+
+[rule.threat.tactic]
+id = "TA0008"
+name = "Lateral Movement"
+reference = "https://attack.mitre.org/tactics/TA0008/"

From cf7de27b621826f1f755277a8d99df165a73124a Mon Sep 17 00:00:00 2001
From: Samirbous <64742097+Samirbous@users.noreply.github.com>
Date: Fri, 26 Jun 2026 15:41:30 +0100
Subject: [PATCH 2/3] Potential fix for pull request finding

Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
---
 .../credential_access_protected_storage_service_access.toml  | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/rules/windows/credential_access_protected_storage_service_access.toml b/rules/windows/credential_access_protected_storage_service_access.toml
index a5c0b2da5ee..94c653977cf 100644
--- a/rules/windows/credential_access_protected_storage_service_access.toml
+++ b/rules/windows/credential_access_protected_storage_service_access.toml
@@ -50,6 +50,11 @@ references = [
     "https://threathunterplaybook.com/hunts/windows/190620-DomainDPAPIBackupKeyExtraction/notebook.html",
     "https://www.elastic.co/security-labs/detect-credential-access",
 ]
+setup = """## Setup
+
+Audit Detailed File Share must be enabled to generate the events used by this rule.
+Setup instructions: https://ela.st/audit-detailed-file-share
+"""
 risk_score = 73
 rule_id = "9bed06f5-0c32-488a-9353-d565fc9d1573"
 severity = "high"

From d5627c97dab536ee98b7d9983486f9696fdd8087 Mon Sep 17 00:00:00 2001
From: Samirbous <64742097+Samirbous@users.noreply.github.com>
Date: Fri, 26 Jun 2026 15:41:51 +0100
Subject: [PATCH 3/3] Potential fix for pull request finding

Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
---
 ...ccess_protected_storage_service_access.toml | 18 +++++++++++-------
 1 file changed, 11 insertions(+), 7 deletions(-)

diff --git a/rules/windows/credential_access_protected_storage_service_access.toml b/rules/windows/credential_access_protected_storage_service_access.toml
index 94c653977cf..3146201aa53 100644
--- a/rules/windows/credential_access_protected_storage_service_access.toml
+++ b/rules/windows/credential_access_protected_storage_service_access.toml
@@ -84,15 +84,19 @@ host.os.type:windows and event.category:file and event.code:5145 and
 framework = "MITRE ATT&CK"
 
 [[rule.threat.technique]]
-id = "T1003"
-name = "OS Credential Dumping"
-reference = "https://attack.mitre.org/techniques/T1003/"
+id = "T1555"
+name = "Credentials from Password Stores"
+reference = "https://attack.mitre.org/techniques/T1555/"
 
-[[rule.threat.technique.subtechnique]]
-id = "T1003.004"
-name = "LSA Secrets"
-reference = "https://attack.mitre.org/techniques/T1003/004/"
+[[rule.threat.technique]]
+id = "T1552"
+name = "Unsecured Credentials"
+reference = "https://attack.mitre.org/techniques/T1552/"
 
+[[rule.threat.technique.subtechnique]]
+id = "T1552.004"
+name = "Private Keys"
+reference = "https://attack.mitre.org/techniques/T1552/004/"
 [rule.threat.tactic]
 id = "TA0006"
 name = "Credential Access"