4695 Unprotection of auditable protected data was attempted
Written when decryption (unprotect) of DPAPI data that was protected with the audit flag is attempted. It corresponds to unprotecting data protected by 4694.
Overview
The subcategory is Audit DPAPI Activity. It is generated when the CryptUnprotectData() function attempts to decrypt “auditable” data that was protected by CryptProtectData() with the CRYPTPROTECT_AUDIT flag. The original docs give no example.
How it is triggered
- When data protected with the audit flag is decrypted via
CryptUnprotectData().
Security review points
- Decrypting protected data is the “extract the contents” operation. Decryption by an unexpected subject or process is notable as access to protected data. Paired with the protection side 4694, track the protect-to-unprotect flow.
- In the context of an attacker decrypting and stealing DPAPI-protected data (such as credentials), confirm the activity of the application involved.
Notes for log review
- Limited to flagged data, so the volume is low. Confirm the subject and process performing the decryption are legitimate.
- It is recorded only where DPAPI Activity auditing is enabled.
Key fields
| Field | Meaning |
|---|---|
Subject\Account Name | The subject that performed the decryption |
Data Description | A description of the target data |