Kirbi File Creation

 1[metadata]
 2creation_date = "2023/08/23"
 3integration = ["endpoint"]
 4maturity = "production"
 5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 6min_stack_version = "8.3.0"
 7updated_date = "2024/03/28"
 8
 9[rule]
10author = ["Elastic"]
11description = """
12Identifies the creation of .kirbi files. The creation of this kind of file is an indicator of an attacker running
13Kerberos ticket dump utilities, such as Mimikatz, and precedes attacks such as Pass-The-Ticket (PTT), which allows the
14attacker to impersonate users using Kerberos tickets.
15"""
16from = "now-9m"
17interval = "60m"
18index = ["logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*"]
19language = "eql"
20license = "Elastic License v2"
21name = "Kirbi File Creation"
22risk_score = 47
23rule_id = "b8f8da2d-a9dc-48c0-90e4-955c0aa1259a"
24severity = "medium"
25tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend", "Data Source: Sysmon"]
26timestamp_override = "event.ingested"
27type = "eql"
28
29query = '''
30file where host.os.type == "windows" and event.type == "creation" and file.extension : "kirbi"
31'''
32
33
34[[rule.threat]]
35framework = "MITRE ATT&CK"
36[[rule.threat.technique]]
37id = "T1003"
38name = "OS Credential Dumping"
39reference = "https://attack.mitre.org/techniques/T1003/"
40
41[[rule.threat.technique]]
42id = "T1558"
43name = "Steal or Forge Kerberos Tickets"
44reference = "https://attack.mitre.org/techniques/T1558/"
45
46
47
48[rule.threat.tactic]
49id = "TA0006"
50name = "Credential Access"
51reference = "https://attack.mitre.org/tactics/TA0006/"