Kirbi File Creation

Identifies the creation of .kirbi files. The creation of this kind of file is an indicator of an attacker running Kerberos ticket dump utilities, such as Mimikatz, and precedes attacks such as Pass-The-Ticket (PTT), which allows the attacker to impersonate users using Kerberos tickets.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2023/08/23"
 3integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender", "crowdstrike"]
 4maturity = "production"
 5min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
 6min_stack_version = "8.14.0"
 7updated_date = "2024/10/31"
 8
 9[rule]
10author = ["Elastic"]
11description = """
12Identifies the creation of .kirbi files. The creation of this kind of file is an indicator of an attacker running
13Kerberos ticket dump utilities, such as Mimikatz, and precedes attacks such as Pass-The-Ticket (PTT), which allows the
14attacker to impersonate users using Kerberos tickets.
15"""
16from = "now-9m"
17index = ["logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*", "logs-sentinel_one_cloud_funnel.*", "logs-m365_defender.event-*", "winlogbeat-*", "endgame-*", "logs-crowdstrike.fdr*"]
18language = "eql"
19license = "Elastic License v2"
20name = "Kirbi File Creation"
21risk_score = 73
22rule_id = "b8f8da2d-a9dc-48c0-90e4-955c0aa1259a"
23severity = "high"
24tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Microsoft Defender for Endpoint", "Data Source: Elastic Endgame", "Data Source: Crowdstrike"]
25timestamp_override = "event.ingested"
26type = "eql"
27
28query = '''
29file where host.os.type == "windows" and event.type == "creation" and file.extension : "kirbi"
30'''
31
32
33[[rule.threat]]
34framework = "MITRE ATT&CK"
35[[rule.threat.technique]]
36id = "T1003"
37name = "OS Credential Dumping"
38reference = "https://attack.mitre.org/techniques/T1003/"
39
40[[rule.threat.technique]]
41id = "T1558"
42name = "Steal or Forge Kerberos Tickets"
43reference = "https://attack.mitre.org/techniques/T1558/"
44
45
46
47[rule.threat.tactic]
48id = "TA0006"
49name = "Credential Access"
50reference = "https://attack.mitre.org/tactics/TA0006/"

Related rules

to-top