Kirbi File Creation

 1[metadata]
 2creation_date = "2023/08/23"
 3integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender"]
 4maturity = "production"
 5min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
 6min_stack_version = "8.13.0"
 7updated_date = "2024/06/25"
 8
 9[rule]
10author = ["Elastic"]
11description = """
12Identifies the creation of .kirbi files. The creation of this kind of file is an indicator of an attacker running
13Kerberos ticket dump utilities, such as Mimikatz, and precedes attacks such as Pass-The-Ticket (PTT), which allows the
14attacker to impersonate users using Kerberos tickets.
15"""
16from = "now-9m"
17index = ["logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*", "logs-sentinel_one_cloud_funnel.*", "logs-m365_defender.event-*"]
18language = "eql"
19license = "Elastic License v2"
20name = "Kirbi File Creation"
21risk_score = 47
22rule_id = "b8f8da2d-a9dc-48c0-90e4-955c0aa1259a"
23severity = "medium"
24tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Microsoft Defender for Endpoint"]
25timestamp_override = "event.ingested"
26type = "eql"
27
28query = '''
29file where host.os.type == "windows" and event.type == "creation" and file.extension : "kirbi"
30'''
31
32
33[[rule.threat]]
34framework = "MITRE ATT&CK"
35[[rule.threat.technique]]
36id = "T1003"
37name = "OS Credential Dumping"
38reference = "https://attack.mitre.org/techniques/T1003/"
39
40[[rule.threat.technique]]
41id = "T1558"
42name = "Steal or Forge Kerberos Tickets"
43reference = "https://attack.mitre.org/techniques/T1558/"
44
45
46
47[rule.threat.tactic]
48id = "TA0006"
49name = "Credential Access"
50reference = "https://attack.mitre.org/tactics/TA0006/"