Protected Storage Service Access via SMB

Last updated 8 days ago on 2026-06-26
Created 8 days ago on 2026-06-26

About

Identifies remote access to the Windows Protected Storage Service through the IPC$ share. Attackers may abuse this named pipe to interact with the Protected Storage Service and extract sensitive credentials, certificates, or DPAPI backup keys.
Tags
Domain: EndpointOS: WindowsUse Case: Threat DetectionTactic: Credential AccessTactic: Lateral MovementUse Case: Active Directory MonitoringData Source: Active DirectoryData Source: Windows Security Event LogsLanguage: kuery
Severity
high
Risk Score
73
MITRE ATT&CK™

Credential Access (TA0006)(external, opens in a new tab or window)

Lateral Movement (TA0008)(external, opens in a new tab or window)

License
Elastic License v2(external, opens in a new tab or window)

Definition

Rule Type
Query (Kibana Query Language)
Integration Pack
Prebuilt Security Detection Rules
Index Patterns
logs-system.security*logs-windows.forwarded*winlogbeat-*
Related Integrations

system(external, opens in a new tab or window)

windows(external, opens in a new tab or window)

Query
text code block:
host.os.type:windows and event.category:file and event.code:5145 and winlog.event_data.ShareName:"\\\\*\\IPC$" and winlog.event_data.RelativeTargetName:"protected_storage" and not source.ip:("::" or "::1" or "0.0.0.0" or "127.0.0.1")

Install detection rules in Elastic Security

Detect Protected Storage Service Access via SMB in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(external, opens in a new tab or window).